ipv6 question
Marko Vojinovic
vvmarko at gmail.com
Tue Jan 4 17:52:42 UTC 2011
On Tuesday 04 January 2011 01:44:36 Robert Nichols wrote:
> On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
> The problem that I see is that any system to which I have ever made a
> connection now has a nice, routable IPv6 address back to the machine
> that made the connection and can start probing that machine to see if
> any vulnerable services might have been inadvertently left listening
> on that interface.
You have the exact same situation if you use IPv4 and NAT. The outside system
has the IPv4 of your router, and can use that IP to scan for any open port on
your inside machine. Namely, once your NAT-ed machine initiates the connection
to the outside machine, NAT will happily accept any incoming connection from
that outside machine, typically on all ports, translate to your local IP and
forward back inside (at least in the default configuration). That's how NAT
works, it translates the addresses from non-routable to routable and back,
trying to keep the communication as open as possible, both ways. Didn't you
know this?
If you are not running a firewall in front of your NAT-ed LAN, you're
completely exposed.
This is a problem that does exist in IPv4 world as much as in IPv6, and NAT
does absolutely nothing to prevent it. The only solution is the firewall on
your gateway, in front of your whole LAN.
> No problem if it's a well secured file server,
> but it could also be an internet-aware HDTV or video recorder where
> I have no control over the internal OS. Sounds like all traffic will
> now have to have to be routed through an external IPv6 SPI firewall
> appliance.
Precisely. Everything must go through a firewall that covers your whole LAN.
Regardless of NAT vs. no-NAT, IPv4 vs. IPv6, computers vs. dumb devices, etc.
> You no doubt have one of those, but I certainly don't,
> and I suspect one would cost a bit more than my $35 NAT router, plus
> being a bit beyond the administrative abilities of the average home
> user.
Most home routers have a firewall built-in these days. At least all routers
that I've seen so far in typical home environments. And it's typically
preconfigured and turned on by default, for dumb users who prefer plug&play,
without bothering to configure anything.
Just login into the router (typically it has a web interface), find the
"security" section (or whatever it's called for your model) and typically
there will be an option "turn on firewall". Select this option, save, and
restart the router. It's as simple as that. And if you never looked at it
before, my bet is that it is already turned on, by default.
If you are running some server behind the router, it is assumed that you are
knowledgeable enough to reconfigure the router to allow incoming connections to
that machine on that port. Btw, you need to know how to do that in the NAT-ed
environment as well (port-forwarding).
Bottomline, you need a firewall, period. And it's typically already there, in
the router, preconfigured for safe usage and activated by default, for clueless
users who don't even know they have it.
HTH, :-)
Marko
More information about the users
mailing list