top | item 37768355

(no title)

hatch_q | 2 years ago

Name one vendor? I can name you 3 that don't. Zyxel, Ubiquiti, Mikrotik. Also anything wrt based (eg. dd-wrt).

In fact one of the warnings on dd-wrt official IPv6 tutorial: """ Keep in mind it can be dangerous to enable IPv6 without also having a firewall on each client that handles IPv6 packets, or having ip6tables on your router to filter incoming connections. ip6tables is NOT included by default with DD-WRT, which means your clients will be directly exposed to the Internet once you have enabled IPv6. """

discuss

andrewaylett|2 years ago

Ubiquiti do -- and it's very nice to be able to punch holes in it when I do want to let HTTPS traffic in to specific addresses, rather than need to try to shoehorn everything onto a single IPv4 address.

IPv6 support is sufficiently widespread that pretty much the only place I can't access IPv6-only services from is the office :P.

hot_gril|2 years ago

This is my concern too. NAT is nice because it's stupid and secure by default. No matter how you misconfigure it, the router simply doesn't know where to forward inbound packets to, unlike a firewall which has to actively block. My assumption for routers is that they won't handle firewalls right, especially the many cheapo ones.

Dagger2|2 years ago

It's not actually secure; your router will route inbound packets to whatever IP is in the packet's destination header, and that can be a machine on your LAN. This remains true whether or not you're applying NAT to your outbound connections.

If anything, NAT makes you less secure by tricking you into a false sense of security.

(It's also worse if you're deliberately running servers, because it catastrophically reduces the search space needed for a hostile actor to find those servers via network scanning. At least, it does on v6 -- on v4 the search space is already too small to be a relevant factor.)

lazide|2 years ago

Hmm, I think you’re right! Apologies! And now off to check my firewall rules!