On 01/04/2011 11:52 AM, Marko Vojinovic wrote: > On Tuesday 04 January 2011 01:44:36 Robert Nichols wrote: >> On 01/03/2011 06:31 PM, Michael H. Warfield wrote: >> The problem that I see is that any system to which I have ever made a >> connection now has a nice, routable IPv6 address back to the machine >> that made the connection and can start probing that machine to see if >> any vulnerable services might have been inadvertently left listening >> on that interface. > > You have the exact same situation if you use IPv4 and NAT. The outside system > has the IPv4 of your router, and can use that IP to scan for any open port on > your inside machine. Namely, once your NAT-ed machine initiates the connection > to the outside machine, NAT will happily accept any incoming connection from > that outside machine, typically on all ports, translate to your local IP and > forward back inside (at least in the default configuration). That's how NAT > works, it translates the addresses from non-routable to routable and back, > trying to keep the communication as open as possible, both ways. Didn't you > know this? I know that's not how my "router" works. OK, my router is actually a Linux box performing the NAT function and with the inward facing NIC connected to a simple switch. In order to be routed back, the return packet would have to match the tuple of (remote address, remote port, local address, local port) or a RELATED tuple constructed from information that a protocol-aware helper extracted from the original connection. Reply packets sent to an arbitrary port will be rejected or dropped independent of firewall settings because the NAT function simply doesn't know where to route them. To blindly route packets without regard for the port numbers would make it impossible for more than one machine on my local network to have simultaneous connections to the same port on the same remote server, and that's something that happens all the time. If commonly available home routers are way dumber than that, then no, I was not aware of that, and how the heck would they even begin to handle the simultaneous connection scenario? But, it's pretty much a moot point for me anyway. I'm not going to be able to get rid of IPv4 on my local network any time soon. There are just too may boxes with no chance of ever supporting IPv6. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines