Hacker News new | ask | show | jobs
by mittensc 54 days ago
Have you tried that?

I have yet to see a router that allows that forwarding unless explicitly configured. Still, i'm using mostly openwrt/opnsense/mikrotik

Default is to disallow/block forwarding packets from public wan to private range lan.

ISP can still inject packets on ports that NAT opens if it spoofs the source address/port, so you still have some validity to argument.
1 comments
Dagger2 53 days ago
Yup, repeatedly.

It's true that almost everything comes with a firewall rule that blocks new connections from the WAN to the LAN, so in practice these connections will be blocked on most things by default. But they come with this rule precisely because NAT doesn't do the job.

link
mittensc 53 days ago
> Yup, repeatedly

Cool, me too :)

Anyway, the other side of the argument:

It is the default and default is secure. Users don't have to reason about it, they can assume it works, how doesn't matter and they may lack training/willingness to figure out.

You can't say the same for IPv6 where default is allow (have things changed?, havent checked in a long time)

link
Dagger2 53 days ago
Of course you can say the same for v6. Blocking connections that go from WAN to LAN by default has the same effect on both protocol families. If you assume that having the appropriate firewall rule to do that is the default then inbound connections will also be blocked on v6 by default.

NAT contributes nothing to your security in this scenario, and instead makes it harder (not easier) to understand and reason about what your router is doing.

link
mittensc 53 days ago
> If you assume that having the appropriate firewall rule to do that is the default

That's the thing, it's not the default, default is public ipv6 for everyone and its the users duty to configure firewall...

I could definitely set this up easily, someone like my parents or friends would ask me 'what's IPv6?'

link
Dagger2 53 days ago
Ah, okay. In that case v4 doesn't have a firewall by default either.

That's precisely why routers come configured with a firewall that blocks inbound connections from the WAN -- because the protocol itself doesn't have a firewall by default, and neither does NAT.

link