| > Wouldn't it be expected to have a firewall with "NAT" type rules anyways? Inbound blocked until an outbound flow is made? There are known solutions for this. For host firewalls, the application can open a port for itself during installation. For network firewalls, the firewall can implement Port Control Protocol (RFC6887), which supports opening even IPv6 ports. > And UPnP seems to get around this right now anyways. At least, every NAT'd connection I'm on, when I run a Bittorrent client, I have no trouble getting inbound connections. UPnP is a rubbish fire. The protocol itself is badly designed and unnecessarily complicated and many of the implementations are broken. Section 9 of RFC6886 is informative. One of the common failure modes is that a client will create a port mapping with a random UPnP device that isn't the real gateway. Many applications will then falsely indicate that incoming connections are working but none ever come through. And it's still sharing an IP address. Only one device can have the ssh port, or the SMTP port, or any other port. IPv6 + Port Control Protocol fixes all of that. |