top | item 46703407

(no title)

Latty | 1 month ago

Except in the real world everyone is also running UPnP, so NAT is also one misconfiguration away from exposing something publicly. In the real world your ISP might enable IPv6 one day and suddenly you do have a public address. Relying on NAT is a bad idea because it's less explicit, a firewall is saying you only want to allow these things through, of course nothing is perfect, you can mess up, but NAT is just less clear, the expectation is not "nothing behind NAT should ever be exposed", it's "we don't have enough addresses and need to share".

discuss

deng|1 month ago

UPnP is not tied to NAT, where do you have this from? UPnP is used to request direct connections, a firewall can implement UPnP just as well as a NAT.

lostmsu|1 month ago

UPnP won't expose my SMB to the world on its own. For that you'd need an attacker already inside the NAT. So already on that side of the hatchway.

direwolf20|1 month ago

[deleted]

willis936|1 month ago

It's not "relying on NAT" to have it as a layer in the swiss cheese. Relying on any one thing is a bad strategy.

Latty|1 month ago

Sure, and that's fine, but relying on it isn't, and it isn't a reason not to use IPv6 (if you want namespacing, there are tools for that outside hiding behind a single IPv4). Hence the advice is not to rely on NAT.

This is people talking past each other, and to be fair, saying "everyone" in my post made it unclear, I was being glib in response to "because that's not what people run IRL", when evidently people do, I've seen it happen.

skywhopper|1 month ago

No, not everyone is running UPnP. Maybe on most home networks, but that’s not the audience that even knows or cares about NAT.

Latty|1 month ago

I think this is where the disconnect is: the home users are precisely the ones being talked about, because they are the ones most likely to be treating NAT like it is a security system for their devices in the real world.

I've literally seen someone's ISP turn on IPv6, and then have their long-running VNC service compromised because they were just relying on NAT to hide their services.

sedawkgrep|1 month ago

> Except in the real world everyone

...and goes on to ignore enterprise businesses, which consume most of the v4 space and are among the biggest resisters of v6.

everdrive|1 month ago

>Except in the real world everyone is also running UPnP

Definitely not. I've been disabling that for years.

aboardRat4|1 month ago

Upnp on cgnat machines? Lol.