| ▲ | iamnothere 2 days ago |
| I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default. I don’t want a static address either (although static addresses should be freely available to those who want them). Having a rotating IP provides a small privacy benefit. People who have upset other people during an online gaming session will understand; revenge DDoS is not unheard of in the gaming world. |
|
| ▲ | craftkiller 2 days ago | parent | next [-] |
| > I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default. Do you ever connect your laptop to any network other than your home network? For example, public wifi hotspots, hotel wifi, tech conferences, etc? If so, you need to be running a firewall _on your laptop_ anyway because your router is no longer there to save you from the other people on that network. It's also a good idea even inside your home network, because one compromised device on your network could then lead to all your other firewall-less devices being exploited. |
| |
| ▲ | iamnothere 2 days ago | parent | next [-] | | Not every device can run its own firewall. IoT devices, NVR systems, etc should be cordoned off from the internet but typically cannot run their own firewall. | | |
| ▲ | iso1631 2 days ago | parent [-] | | Sure, but they sit on an iot vlan where your firewall prevents access except specificly allowed services | | |
| ▲ | iamnothere 2 days ago | parent [-] | | You must have not read my original post. I said that the NAT provides an additional fallback layer of safety in case you accidentally misconfigure your firewall. (This has happened to me once before while working late and I’ve also seen it in the field.) |
|
| |
| ▲ | icedchai 2 days ago | parent | prev [-] | | Most public wifi has client isolation enabled for this reason. Firewall or not, you can't communicate with other clients. | | |
| ▲ | craftkiller a day ago | parent [-] | | Only if they're set up properly, which is quite the gamble. I was recently in a hotel and I listed all the chromecast devices throughout the entire hotel. I could see what everyone was watching and if I was a lesser person I could have controlled their TVs or changed what they were watching. | | |
| ▲ | icedchai a day ago | parent [-] | | What about device like those Chromecasts which don't even have firewalls? The only real solution would be to bring your own hardware firewall / access point and connect it as a client off the hotel wifi. Who is really going to do that? |
|
|
|
|
| ▲ | UltraSane 2 days ago | parent | prev | next [-] |
| You can have IPv6 firewalls emulate the behavior of NAT so it blocks unsolicited inbound traffic while allowing outbound traffic. If you get a /48 form your ISP you could rotate to a new IP address every second for the rest of your life. |
| |
| ▲ | throw0101c 2 days ago | parent | next [-] | | > You can have IPv6 firewalls emulate the behavior of NAT so it blocks unsolicited inbound traffic while allowing outbound traffic. Are there any (consumer?) firewalls that do not do this? I know Asus do this (and have for years). AIUI most 'enterprise' firewalls have a default deny shipped from the factory and you have to actively allow stuff. | |
| ▲ | iamnothere 2 days ago | parent | prev [-] | | Right, but if you’re messing around as a naive learner it’s easy to accidentally disable that or completely open up an IP or range due to a bad rule. It’s a lot harder to accidentally enable port forwarding on a NAT. | | |
| ▲ | degamad 2 days ago | parent [-] | | > It’s a lot harder to accidentally enable port forwarding on a NAT. It's probably less than three clicks on most home router web UIs. | | |
| ▲ | MisterTea 2 days ago | parent | next [-] | | But you have to specify not only the exposed port but also the destination address and port which is not easy to do accidentally. edit: typo | |
| ▲ | iamnothere 2 days ago | parent | prev [-] | | Very hard to make all those clicks accidentally. But anyway I’m talking about pf/iptables rules, not web UIs. |
|
|
|
|
| ▲ | ac29 2 days ago | parent | prev [-] |
| > I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default. This feels like a strawman. If you are making the sort of change that accidentally disables your IPv6 firewall completely, you could accidentally make a change that exposed IPv4 devices as well (accidentally enabling DMZ, or setting up port forwarding incorrectly for example). |
| |
| ▲ | iamnothere 2 days ago | parent [-] | | As someone who has done this while tired, it’s a lot easier to accidentally open extra ports to a publicly routable IP (or overbroad range of IPs) than it is to accidentally enable port forwarding or DMZ. | | |
| ▲ | wredcoll 2 days ago | parent [-] | | You could accidentally swap ips to one that had a port forward, some applications can ask routers to forward, etc etc. I donmt know how exactly we'd measure the various potential issues but they seem incredibly minor compared to the sheer amount of breakage created by widespread nat. | | |
|
|
