The question above for the most part, been reading up on it. Also want to it for learning purposes.

  • orangeboats@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    edit-2
    1 year ago

    It’s not necessary to firewall every device. Just like how your router can handle NAT, it should be able to handle stateful firewall too.

    Mine blocks all incoming connections by default. I can add (IP, port range) entries to the whitelist if I need to host a service, it’s not really different to NAT port forwarding rules.

    • Reliant1087@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      So even though the device has a public address, the route is through the firewall, hence the ability to filter traffic?

      • Unaware7013@kbin.social
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Yes, the firewall is still your transition point from your internal network to your ISP network. Just like with ipv4, you should be configuring your ipv6 firewall to only allow designated traffic into your network from the internet.

      • orangeboats@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Right. Packets still have to go through your router, assuming that your router has firewall turned on, it goes like this:

        1. Your router receives a packet.

        2. It checks whether the packet is “expected” (a “related” packet) - by using connection tracking.

          For example, if ComputerA had sent something to ServerX before, and now the packet received by router says “from ServerX to ComputerA”, then the packet is let through - surely, this packet is just a reply to ComputerA’s previous requests.

        3. If step 2 fails - we know this is a new incoming packet. Possibly it comes from an attacker, which we don’t want. And so the router checks whether there is a rule that allows such a packet to go through (the assumption is that since you are explicitly allowing it, you know how to secure yourself.)

          If I have setup a firewall rule that says “allow packets if their destination is ComputerB, TCP port 25565”, and the received packet matches this description, the router lets it through.

        4. Finally, the packets that the router accepts from the previous steps are forwarded to the relevant LAN hosts.

        • Reliant1087@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I understand this part :) I use a fairly complex firewall at work though I only know bits and pieces from reading different manuals. I think the part I didn’t understand was how exactly the routing worked differently in IPv4 vs v6. I get that because NAT happens in IPv4, packets can’t be routed at all without the firewall/router but I wasn’t sure what was the mechanism by which v6 made sure that packets went through the router, especially when you have stuff like v6 DHCP relays.

          • orangeboats@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Ah, I misunderstood your original comment, oops! But yes, IPv6 packets are routed just like IPv4 ones, just without the NAT’ing process i.e. the packet remains untouched the entire trip.

      • amki@feddit.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Nothing has changed about why that is compelling: NAT sucks and creates nothing but problems.

        Network security is almost the same with IPv6.

        If you rely on NAT as a security measure you are just very bad at networking.

        • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍@midwest.social
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          1 year ago

          I mean that, when IPv6 started filtering out to non-specialists, network security wasn’t nearly as complex, and nor was the frequency of escalation what it is today. Back when IPv6 was new(ish), there weren’t widespread botnets exploiting newly discovered vulnerabilities every week. The idea of maintaining a personal network of internet-accessible devices was reasonable. Now maintaining the security of a dozen different devices with different OSes is a full time job.

          Firewalling off subnets and limitting the access to apps through a secured gateway of reverse proxies is bot bad networking. That’s all a NAT is, and reducing your attack surface is good strategy.