Re: ipv6 question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/04/2011 11:52 AM, Marko Vojinovic wrote:
> On Tuesday 04 January 2011 01:44:36 Robert Nichols wrote:
>> On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
>> The problem that I see is that any system to which I have ever made a
>> connection now has a nice, routable IPv6 address back to the machine
>> that made the connection and can start probing that machine to see if
>> any vulnerable services might have been inadvertently left listening
>> on that interface.
>
> You have the exact same situation if you use IPv4 and NAT. The outside system
> has the IPv4 of your router, and can use that IP to scan for any open port on
> your inside machine. Namely, once your NAT-ed machine initiates the connection
> to the outside machine, NAT will happily accept any incoming connection from
> that outside machine, typically on all ports, translate to your local IP and
> forward back inside (at least in the default configuration). That's how NAT
> works, it translates the addresses from non-routable to routable and back,
> trying to keep the communication as open as possible, both ways. Didn't you
> know this?

I know that's not how my "router" works.  OK, my router is actually a Linux
box performing the NAT function and with the inward facing NIC connected to
a simple switch.  In order to be routed back, the return packet would have
to match the tuple of (remote address, remote port, local address, local
port) or a RELATED tuple constructed from information that a protocol-aware 
helper extracted from the original connection.  Reply packets sent to an
arbitrary port will be rejected or dropped independent of firewall settings
because the NAT function simply doesn't know where to route them.  To
blindly route packets without regard for the port numbers would make it
impossible for more than one machine on my local network to have
simultaneous connections to the same port on the same remote server, and
that's something that happens all the time.

If commonly available home routers are way dumber than that, then no,
I was not aware of that, and how the heck would they even begin to handle
the simultaneous connection scenario?

But, it's pretty much a moot point for me anyway.  I'm not going to be
able to get rid of IPv4 on my local network any time soon.  There are
just too may boxes with no chance of ever supporting IPv6.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux