ipv6 question

Marko Vojinovic vvmarko at gmail.com
Tue Jan 4 17:52:42 UTC 2011

On Tuesday 04 January 2011 01:44:36 Robert Nichols wrote:
> On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
> The problem that I see is that any system to which I have ever made a
> connection now has a nice, routable IPv6 address back to the machine
> that made the connection and can start probing that machine to see if
> any vulnerable services might have been inadvertently left listening
> on that interface.

You have the exact same situation if you use IPv4 and NAT. The outside system 
has the IPv4 of your router, and can use that IP to scan for any open port on 
your inside machine. Namely, once your NAT-ed machine initiates the connection 
to the outside machine, NAT will happily accept any incoming connection from 
that outside machine, typically on all ports, translate to your local IP and 
forward back inside (at least in the default configuration). That's how NAT 
works, it translates the addresses from non-routable to routable and back, 
trying to keep the communication as open as possible, both ways. Didn't you 
know this?

If you are not running a firewall in front of your NAT-ed LAN, you're 
completely exposed.

This is a problem that does exist in IPv4 world as much as in IPv6, and NAT 
does absolutely nothing to prevent it. The only solution is the firewall on 
your gateway, in front of your whole LAN.

> No problem if it's a well secured file server,
> but it could also be an internet-aware HDTV or video recorder where
> I have no control over the internal OS.  Sounds like all traffic will
> now have to have to be routed through an external IPv6 SPI firewall
> appliance.

Precisely. Everything must go through a firewall that covers your whole LAN. 
Regardless of NAT vs. no-NAT, IPv4 vs. IPv6, computers vs. dumb devices, etc.

> You no doubt have one of those, but I certainly don't,
> and I suspect one would cost a bit more than my $35 NAT router, plus
> being a bit beyond the administrative abilities of the average home
> user.

Most home routers have a firewall built-in these days. At least all routers 
that I've seen so far in typical home environments. And it's typically 
preconfigured and turned on by default, for dumb users who prefer plug&play, 
without bothering to configure anything.

Just login into the router (typically it has a web interface), find the 
"security" section (or whatever it's called for your model) and typically 
there will be an option "turn on firewall". Select this option, save, and 
restart the router. It's as simple as that. And if you never looked at it 
before, my bet is that it is already turned on, by default.

If you are running some server behind the router, it is assumed that you are 
knowledgeable enough to reconfigure the router to allow incoming connections to 
that machine on that port. Btw, you need to know how to do that in the NAT-ed 
environment as well (port-forwarding).

Bottomline, you need a firewall, period. And it's typically already there, in 
the router, preconfigured for safe usage and activated by default, for clueless 
users who don't even know they have it.

HTH, :-)

More information about the users mailing list