undefined | Better HN

0 pointsadrian_b4y ago0 comments

Adding the right rules for a firewall is not more difficult for IPv6 than for IPv4 with NAT, if anything it is simpler.

It is true that usually NAT is configured by default to not accept connections from outside to inside, but any firewall should have default rules that forbid such connections for any protocol, both for IPv4 and for IPv6.

Nonetheless, you are probably right that many, maybe most, home routers/firewalls might come with bad default configurations, where instead of having sane default rules for IPv6, there might be just a default rule to pass all.

If that is the case, it is not the fault of IPv6 but of the device manufacturers. For NAT it is also possible to put stupid default firewall rules, that just is less common, because almost all customers use NAT and the bad defaults are frequently noticed and reported.

0 comments

corty4y ago

Most consumer NATs are intentionally configured to be leaky. A commonly used technique is hole punching (https://en.wikipedia.org/wiki/Hole_punching_(networking) ), which all consumer NATs are prone to support because otherwise many popular applications such as games, voice- and videoconferencing won't work. There are also formally specified protocols to expose hosts to connections from outside: https://en.wikipedia.org/wiki/Internet_Gateway_Device_Protoc... https://en.wikipedia.org/wiki/Port_Control_Protocol and others. All this is done with no or poor authentication, so any malware that managed to make it inside your network (e.g. by a guest carrying an infected device) can just request your home router to open ports. There have even been problems where such protocols were open to the outside internet, of course without auth. There have been problems with misdirected exposed ports when hosts go offline and addresses are reassigned. Those just don't make headline news because the protocols work as intended and each misconfiguration is unique, automatic and temporary.

So, first, your IPv4 NAT has crappy security already, by virtue of needing to accomodate services like realtime audio/video/control that won't work properly without incoming connections. Second, IPv6 is supported in the same way, PCP can just do the same for IPv6 firewall rules as it does for IPv4 NAT exposed ports.

There is absolutely no reason to not use IPv4 over IPv6, it'll work the same from an end-user's view. But it'll be slightly less messy because you just configure firewall rules per IPv6 address instead of translating the limited port space of your one external IPv4 address into a number of internal Port/IPv4 combinations. So the chance to screw up is lessened.

hansel_der4y ago

> it'll be slightly less messy because you just configure firewall rules per IPv6 address instead of translating the limited port space of your one external IPv4 address into a number of internal Port/IPv4 combinations. So the chance to screw up is lessened.

as mentioned, with ipv6 you now have to care/worry about multiple classes of numbers, so i'd argue that because the number-space is increased, so is the chance to screw up.

i grew up with windows 3.x computers having a public ip and no firewall and as nice as incoming connections by default are for an enthusiast, they are a unecessary danger for the masses.

as you said, hole-punching works on ipv6 as well and has to be initiated from the inside, so it's no argument for .

adrian_bOP4y ago

I do not know what you mean by "multiple classes of numbers".

A firewall must block everything by default.

You add then exceptions for the protocols, hosts and ports that you want to allow.

Regardless whether you use IPv4 or IPV6, you have the same number of protocols, hosts and ports for which you must add rules.

The only disadvantage of IPv6 is that you should be more careful when you copy and paste the host addresses into rules, because the IPv6 addresses are longer and it might be more difficult to notice typing errors in them.

On the other hand, you no longer need to add NAT rules.

1 more reply

j / k navigate · click thread line to collapse