This looks like the usual ipv6 kool aid batshit. I don't want a bunch of kids and enemy states poking at and port scanning my laptop directly, regardless of whether or not I have a firewall enabled.
And, no, I don't think it's practical for everyone and their grandma to "just set up a bastion"
This is also spec for IPv4, it was intended to be as publically routable as IPv6 is. NAT is just a consequence of everyone realizing circa early 90s (iirc) IPv4 addresses would run out at the rate the network was growing. Yes NAT acts as an inbound default-deny firewall but that isn't it's purpose.
You have a router, it has a firewall, that is meant to be used to control access to the network, you don't have to assign rules to every device you can assign default interface rules that apply to any connection.
Just because you get a publically routable address doesn't mean the internet defines physics and hops over your router and firewall.
Also as an aside - perimeter security is a very outdated way of looking at security, yes the perimeter is still important but if it is your first and only line of defense you are gonna be in for a bad time, defense in depth as it is called where you look at your systems and networks as layers to an onion is the more modern standard and NAT as a security mechanism has never been standard in either because it isn't.
I mean, they'd need to figure out your IP address beforehand, something that's a lot harder with ipv6. You've also got a much better chance of punching a packet through a NAT than an ipv6 firewall (and it's now expected behaviour for a lot of applications, as NAT makes it too difficult to just make connections directly).
They wouldn't need to figure out anything. The "kids and enemy states" are just hosing address ranges. I don't agree with the above commenter that NAT offers any meaningful security in this regard (now they're just hosing your consumer router instead which is probably less secure than the average updates-installed Defender-enabled Windows box). But you're both making points about security through obscurity in different ways.
Wouldn't IPv6 firewalls configured for typical users (i.e., denying unrecognized incoming connections) pose a similar barrier to making direct connections reliably on the application level? Not every user will be willing or able to open a hole in their firewall for every shiny new application that wants one.
Yeah, I think it is very explicitly a bad thing for all devices to be directly exposed to the entire internet- firewall or no. NAT is a pain, sure, but it does have the benefit of forcing you to have a network isolated from the internet, and only allow external access when explicitly configured to do so.
I have exactly one machine which needs to be accessible from outside the local network. The rest of them should never be. Do I want to spend extra time ensuring that each and every single device on my network is secure, or do I want to do the inverse and assume all devices are secure and only spend effort to make the one machine exposed?
I can't imagine anyone who would actually want or need their WiFi toaster to be publicly routable, WiFi cameras, every computer. There's absolutely no reason for it. Instead of relying on network isolation, we expect users to just implicitly rely on who knows how many different firewall implementations. Hopefully your router configures it by default.
Are you sure about that 'never'? that no device will ever try to use p2p fonnections?
Even then id still rather ensure every device is appropriately firewalled. 'not worrying about it's sounds like a hardened shell with a juicy center. What happens when a device does get compromised and tries to spread to your local network?
scrps|1 year ago
You have a router, it has a firewall, that is meant to be used to control access to the network, you don't have to assign rules to every device you can assign default interface rules that apply to any connection.
Just because you get a publically routable address doesn't mean the internet defines physics and hops over your router and firewall.
Also as an aside - perimeter security is a very outdated way of looking at security, yes the perimeter is still important but if it is your first and only line of defense you are gonna be in for a bad time, defense in depth as it is called where you look at your systems and networks as layers to an onion is the more modern standard and NAT as a security mechanism has never been standard in either because it isn't.
rcxdude|1 year ago
rainonmoon|1 year ago
LegionMammal978|1 year ago
utensil4778|1 year ago
I have exactly one machine which needs to be accessible from outside the local network. The rest of them should never be. Do I want to spend extra time ensuring that each and every single device on my network is secure, or do I want to do the inverse and assume all devices are secure and only spend effort to make the one machine exposed?
I can't imagine anyone who would actually want or need their WiFi toaster to be publicly routable, WiFi cameras, every computer. There's absolutely no reason for it. Instead of relying on network isolation, we expect users to just implicitly rely on who knows how many different firewall implementations. Hopefully your router configures it by default.
semi|1 year ago
Even then id still rather ensure every device is appropriately firewalled. 'not worrying about it's sounds like a hardened shell with a juicy center. What happens when a device does get compromised and tries to spread to your local network?