On Tuesday 04 January 2011 01:44:36 Robert Nichols wrote: > On 01/03/2011 06:31 PM, Michael H. Warfield wrote: > The problem that I see is that any system to which I have ever made a > connection now has a nice, routable IPv6 address back to the machine > that made the connection and can start probing that machine to see if > any vulnerable services might have been inadvertently left listening > on that interface. You have the exact same situation if you use IPv4 and NAT. The outside system has the IPv4 of your router, and can use that IP to scan for any open port on your inside machine. Namely, once your NAT-ed machine initiates the connection to the outside machine, NAT will happily accept any incoming connection from that outside machine, typically on all ports, translate to your local IP and forward back inside (at least in the default configuration). That's how NAT works, it translates the addresses from non-routable to routable and back, trying to keep the communication as open as possible, both ways. Didn't you know this? If you are not running a firewall in front of your NAT-ed LAN, you're completely exposed. This is a problem that does exist in IPv4 world as much as in IPv6, and NAT does absolutely nothing to prevent it. The only solution is the firewall on your gateway, in front of your whole LAN. > No problem if it's a well secured file server, > but it could also be an internet-aware HDTV or video recorder where > I have no control over the internal OS. Sounds like all traffic will > now have to have to be routed through an external IPv6 SPI firewall > appliance. Precisely. Everything must go through a firewall that covers your whole LAN. Regardless of NAT vs. no-NAT, IPv4 vs. IPv6, computers vs. dumb devices, etc. > You no doubt have one of those, but I certainly don't, > and I suspect one would cost a bit more than my $35 NAT router, plus > being a bit beyond the administrative abilities of the average home > user. Most home routers have a firewall built-in these days. At least all routers that I've seen so far in typical home environments. And it's typically preconfigured and turned on by default, for dumb users who prefer plug&play, without bothering to configure anything. Just login into the router (typically it has a web interface), find the "security" section (or whatever it's called for your model) and typically there will be an option "turn on firewall". Select this option, save, and restart the router. It's as simple as that. And if you never looked at it before, my bet is that it is already turned on, by default. If you are running some server behind the router, it is assumed that you are knowledgeable enough to reconfigure the router to allow incoming connections to that machine on that port. Btw, you need to know how to do that in the NAT-ed environment as well (port-forwarding). Bottomline, you need a firewall, period. And it's typically already there, in the router, preconfigured for safe usage and activated by default, for clueless users who don't even know they have it. HTH, :-) Marko -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
