| > We are talking about IPv6 and possibilities to directly access machine where some vulnerable service might be exposed by misconfiguration. That is no different than with IPv4. If you have a stateful firewall, that isn't possible. If you don't, it is. > Even pro people forget to close their database on servers sometimes, cannot think what weird stuff might be running on normal users machines. Which is why you should have a stateful firewall. A NAT does not add anything to that. > I did not even touched running untrusted code by user because that is not in the scope of discussion. It is insecure with whatever the network configuration will be. It is very much in scope of the discussion, as every single end user does it. No matter how great their firewall is, you just send them a link to a website, and that website now gets to execute Javascript code on the inside of the firewall, with more or less direct access to all the insecure services supposedly protected by the firewall. Including even stuff only listening on localhost, which wouldn't be reachable directly even without a firewall. If you want to do a mass-scale attack, you serve that code through an advertising network. So, you actually have to secure the services anyway, even a firewall is insufficient to protect vulnerable services on end-user networks. > I do not know how you can connect to device behind NAT without setting up tunnel to it. But I might be wrong, point me to some resource please? By sending a packet addressed directly to the internal address, which your ISP can do, anyone who compromises your ISP's edge router can do, and more often than not your neighbours can do when your ISP fails to properly isolate customers on layer 2. |