top | item 37765946

(no title)

hatch_q | 2 years ago

Possibly never, because security. NAT at least tries to hide insecure IoT device on your grandma's wifi.

shodan.io has support for ipv6. With ipv4 you're somewhat restricted to devices that get public ip (corporate networks) or devices that drill a hole (uPnP/port forward). IPv6 devices are publicly visible by default and you need to manually setup firewall to filter this out (not trivial - especially for UDP and ICMP)

discuss

lazide|2 years ago

Every firewall I’ve dealt with since forever has default deny on inbound traffic, state full allow for outbound connections. Regardless of NAT or not, and regardless of how cheap it is.

hatch_q|2 years ago

Name one vendor? I can name you 3 that don't. Zyxel, Ubiquiti, Mikrotik. Also anything wrt based (eg. dd-wrt).

In fact one of the warnings on dd-wrt official IPv6 tutorial: """ Keep in mind it can be dangerous to enable IPv6 without also having a firewall on each client that handles IPv6 packets, or having ip6tables on your router to filter incoming connections. ip6tables is NOT included by default with DD-WRT, which means your clients will be directly exposed to the Internet once you have enabled IPv6. """