• @[email protected]
    link
    fedilink
    English
    43 months ago

    Honestly the more I think about it the more I realize I’m wrong. I was thinking someone could enable a server on their client device without realizing it but the firewall on the router would still need to be modified in that situation, and anything not requiring firewall modifications would be just as much of a security hole on IPv4

    • Encrypt-Keeper
      link
      English
      5
      edit-2
      3 months ago

      Yeah it’s a common trip up. We’re all so used to the way that things are done in IPv4 that our natural response is to try and apply IPv4 logic to IPv6, but you’re absolutely right.

      Many people think NAT is a security feature but but that’s only a coincidence and it doesn’t do anything a firewall doesn’t already do. And if we take it one step further we can actually see that a firewall and IPv6 is actually more secure than NAT. The only inherent risk of port warding in NAT is that the IP you’re forwarding to is ultimately arbitrary. Think, have a port open to SMB for a publicly accessible file sharing container, then later ditching it and via DCHP your laptop picks up that old IP and now voila you’ve technically exposed your laptop. It’s not quite that simple but that’s the essence of it.

      But with IPv6, IPs are no longer arbitrary. When you allow access in certain ports to a certain machine and that machine goes away, that rule will always only allow access to nowhere.