[lmm]

> One thing that's tricky about V6 is the fact that without NAT all your boxes are internet-reachable unless you have a firewall. That's easily added of course, but whereas we have protocols like upnp and nat-pmp to reconfigure NAT routers, there's nothing equivalent for various applications to tell the router to forward some V6 traffic.

Is there any reason the same approach shouldn't work? All the application needs to tell the router is "please open this inbound port on this address", right? Like, in theory couldn't a router just follow the existing uPNP/nat-pmp standards and do the right thing with those messages?

> That way, I could theoretically get away without a restrictive firewall while still giving applications a way to be directly connected to. An attacker would have to scan a /48 (in my case) or a /64 (in the worst case) in order to find an open port given a known remote address.

I think that's a terrible idea. An attacker could e.g. sniff packets inbound towards your network to figure out the address. Addresses are not designed to be secret or a security feature.

[IgorPartola]

All you need is a firewall. NAT is not a security feature: it just has security implications. In IPv4 land, it's the firewall that does all the port forwarding, etc. anyways.

If you are running IPv6, get a nice OpenWRT router, where the firewall is enabled by default.

[jrochkind1]

What are the implications of using a laptop on a public Wifi where you don't control the router? (Or a friend's house, or anywhere else where the router isn't yours).

OS-level firewall, I guess? Which maybe you should probably have anyway?

[Alupis]

I think a lot of people don't trust the OS firewall due to many years of using Windows firewall. Windows firewall hasn't always been good, and is confusing still to this day for a lot of users (when I search for Firewall in my Windows 7 start menu, I get no less than 4 different options which all present me with different context menus, etc). Not to mention security product vendors still try to peddle their 3rd party firewall as being superior to the built-in firewall, which is rubbish other than maybe a usability standpoint (you either block something or you don't).

Compounded by the fact that most Windows boxes are "leaky" over the network and often have services talking without the user's knowledge.

This is changing, but it will take time to change user's minds. In the *nix world (which includes OSX), the desktop firewalls in my experience have been good for a very long time.

[lmm]

Windows gives you the choice when you connect to the Wifi - a kind of "is this network trusted?" dialogue.

Honestly the thing that makes sense is smarter applications. If you only need local connectivity, only listen on the loopback interface. If you open a port then you should expect to receive public requests on this port, and should have appropriate authentication in place.