The question above for the most part, been reading up on it. Also want to it for learning purposes.

  • fedev@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    6
    ·
    1 year ago

    Because devices in your LAN will all be accessible from the internet with IPv6, you need to firewall every device.

    It becomes more of a problem for IoT devices which you can’t really control. If you can, disable ipv6 for those.

    • orangeboats@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      edit-2
      1 year ago

      It’s not necessary to firewall every device. Just like how your router can handle NAT, it should be able to handle stateful firewall too.

      Mine blocks all incoming connections by default. I can add (IP, port range) entries to the whitelist if I need to host a service, it’s not really different to NAT port forwarding rules.

      • Reliant1087@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        So even though the device has a public address, the route is through the firewall, hence the ability to filter traffic?

        • Unaware7013@kbin.social
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Yes, the firewall is still your transition point from your internal network to your ISP network. Just like with ipv4, you should be configuring your ipv6 firewall to only allow designated traffic into your network from the internet.

        • orangeboats@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Right. Packets still have to go through your router, assuming that your router has firewall turned on, it goes like this:

          1. Your router receives a packet.

          2. It checks whether the packet is “expected” (a “related” packet) - by using connection tracking.

            For example, if ComputerA had sent something to ServerX before, and now the packet received by router says “from ServerX to ComputerA”, then the packet is let through - surely, this packet is just a reply to ComputerA’s previous requests.

          3. If step 2 fails - we know this is a new incoming packet. Possibly it comes from an attacker, which we don’t want. And so the router checks whether there is a rule that allows such a packet to go through (the assumption is that since you are explicitly allowing it, you know how to secure yourself.)

            If I have setup a firewall rule that says “allow packets if their destination is ComputerB, TCP port 25565”, and the received packet matches this description, the router lets it through.

          4. Finally, the packets that the router accepts from the previous steps are forwarded to the relevant LAN hosts.

          • Reliant1087@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I understand this part :) I use a fairly complex firewall at work though I only know bits and pieces from reading different manuals. I think the part I didn’t understand was how exactly the routing worked differently in IPv4 vs v6. I get that because NAT happens in IPv4, packets can’t be routed at all without the firewall/router but I wasn’t sure what was the mechanism by which v6 made sure that packets went through the router, especially when you have stuff like v6 DHCP relays.

            • orangeboats@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Ah, I misunderstood your original comment, oops! But yes, IPv6 packets are routed just like IPv4 ones, just without the NAT’ing process i.e. the packet remains untouched the entire trip.

        • amki@feddit.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Nothing has changed about why that is compelling: NAT sucks and creates nothing but problems.

          Network security is almost the same with IPv6.

          If you rely on NAT as a security measure you are just very bad at networking.

          • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍@midwest.social
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            1 year ago

            I mean that, when IPv6 started filtering out to non-specialists, network security wasn’t nearly as complex, and nor was the frequency of escalation what it is today. Back when IPv6 was new(ish), there weren’t widespread botnets exploiting newly discovered vulnerabilities every week. The idea of maintaining a personal network of internet-accessible devices was reasonable. Now maintaining the security of a dozen different devices with different OSes is a full time job.

            Firewalling off subnets and limitting the access to apps through a secured gateway of reverse proxies is bot bad networking. That’s all a NAT is, and reducing your attack surface is good strategy.

      • orangeboats@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        Port forwarding is exclusively a NAT phenomenon.

        In IPv6 every device should in theory have a public address - just like how every computer had a public IPv4 address back in the 1980s ~ 1990s.

        However, most sensible routers will have a firewall setup by default that blocks all incoming connections for security reasons. You still need to add firewall rules.

        • fedev@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          This is correct. My router however doesn’t have that level of firewall. It’s either all allowed or nothing is.

        • MeanEYE@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          There’s no “should in theory”. It’s only a possibility due to sheer number of possible combinations. No one was ever going to make every device public. It makes absolutely no sense. Why would your company’s printer be online or isolated networks or VPNs? There’s no point.

          • orangeboats@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            IP addressing is just a way to give a globally unique number to each device. It’s just a number.

            And there wasn’t a real public/private distinction when the Internet was still in its infancy. Printers were indeed given “public” addresses because people needed a number for it.

            If you don’t want your printer to be reachable by the public Internet, use a firewall to block outside connections. If you can use NAT, you certainly can use a firewall. Heck, they are almost the same thing if you have been using the Linux kernel (iptables/nftables handle firewalling and masquerading with the same tool!)

            Routability is not the same as reachability. With NAT transversal you can reach my “private” hosts all the same, although you can’t route to me because I don’t have a public address.

    • MeanEYE@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      Haha, no not really. IPv6 has the ability to provide public IP address for each device, but that doesn’t mean it will have to. Other than number of possible addresses, nothing is different. Routing, firewalls, NATs, etc. All remains the same.

      • 30021190@lemmy.cloud.aboutcher.co.uk
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        IPv6 doesn’t support NAT… Or am I woefully out of date.

        But your home router will just firewall like it does already but you don’t have NAT as a simple fall back for “security”. It does make running internal services much easier as you no long need to port forward. So you can run two webservers on port 80 and they be bother allowed inbound without doing horrible load balance or NAT translation.

        • NocturnalEngineer@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          IPv6 has NPTv6, which allows you to translate from one prefix into another.

          Useful if you’ve got dual WAN, and can’t advertise your own addressing via the ISP. You can use NPTv6 to translate between your local prefix and the public prefixes. But NPTv6 is completely stateless. It’s literally a 1:1 mapping between the prefixes.

          • orangeboats@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            IPv6 has both NAT66 and NPTv6. (Note that NPTv6 was called NAT66 too, but I am referring to the “stateful” NAT66-with-port-mapping here. Yeah, it’s confusing.) NAT66 is more like the traditional stateful NAT that all of us know and understand.

        • fedev@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          The router does have a firewall but it blocks everything inbound by default. Some routers (at least mine) do not offer the granularity to filter traffic for certain devices (no NAT either). It’s either allow all in or nothing.

          When you enable IPv6 and switch off the firewall (since you can’t host anything otherwise), every device becomes exposed to the internet.

          Then unless the devices have a firewall themselves, all is exposed. Not just the web services, ssh and the rest as well.

          • fedev@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            There was a way around it however but not something everyone will be able to do with their home router. I had to ssh to the router using ISP admin credentials leaked on the internet, then create a file in init.d that loads a custom iptables file with the firewall rules I needed for IPv6. NAT for IPv6 however was not supported by the kennel used for my router.