The question above for the most part, been reading up on it. Also want to it for learning purposes.

@fedev@lemmy.world
link
fedilink
English
01Y

Because devices in your LAN will all be accessible from the internet with IPv6, you need to firewall every device.

It becomes more of a problem for IoT devices which you can’t really control. If you can, disable ipv6 for those.

@orangeboats@lemmy.world
link
fedilink
English
2
edit-2
1Y

It’s not necessary to firewall every device. Just like how your router can handle NAT, it should be able to handle stateful firewall too.

Mine blocks all incoming connections by default. I can add (IP, port range) entries to the whitelist if I need to host a service, it’s not really different to NAT port forwarding rules.

So even though the device has a public address, the route is through the firewall, hence the ability to filter traffic?

@orangeboats@lemmy.world
link
fedilink
English
2
edit-2
1Y

Right. Packets still have to go through your router, assuming that your router has firewall turned on, it goes like this:

  1. Your router receives a packet.

  2. It checks whether the packet is “expected” (a “related” packet) - by using connection tracking.

    For example, if ComputerA had sent something to ServerX before, and now the packet received by router says “from ServerX to ComputerA”, then the packet is let through - surely, this packet is just a reply to ComputerA’s previous requests.

  3. If step 2 fails - we know this is a new incoming packet. Possibly it comes from an attacker, which we don’t want. And so the router checks whether there is a rule that allows such a packet to go through (the assumption is that since you are explicitly allowing it, you know how to secure yourself.)

    If I have setup a firewall rule that says “allow packets if their destination is ComputerB, TCP port 25565”, and the received packet matches this description, the router lets it through.

  4. Finally, the packets that the router accepts from the previous steps are forwarded to the relevant LAN hosts.

I understand this part :) I use a fairly complex firewall at work though I only know bits and pieces from reading different manuals. I think the part I didn’t understand was how exactly the routing worked differently in IPv4 vs v6. I get that because NAT happens in IPv4, packets can’t be routed at all without the firewall/router but I wasn’t sure what was the mechanism by which v6 made sure that packets went through the router, especially when you have stuff like v6 DHCP relays.

Ah, I misunderstood your original comment, oops! But yes, IPv6 packets are routed just like IPv4 ones, just without the NAT’ing process i.e. the packet remains untouched the entire trip.

Unaware7013
link
fedilink
21Y

Yes, the firewall is still your transition point from your internal network to your ISP network. Just like with ipv4, you should be configuring your ipv6 firewall to only allow designated traffic into your network from the internet.

MeanEYE
link
fedilink
English
31Y

Haha, no not really. IPv6 has the ability to provide public IP address for each device, but that doesn’t mean it will have to. Other than number of possible addresses, nothing is different. Routing, firewalls, NATs, etc. All remains the same.

@paperbenni@lemmy.world
link
fedilink
English
31Y

Wait, ipv6 doesn’t require port forwarding to expose something to the internet?

Port forwarding is exclusively a NAT phenomenon.

In IPv6 every device should in theory have a public address - just like how every computer had a public IPv4 address back in the 1980s ~ 1990s.

However, most sensible routers will have a firewall setup by default that blocks all incoming connections for security reasons. You still need to add firewall rules.

MeanEYE
link
fedilink
English
11Y

There’s no “should in theory”. It’s only a possibility due to sheer number of possible combinations. No one was ever going to make every device public. It makes absolutely no sense. Why would your company’s printer be online or isolated networks or VPNs? There’s no point.

IP addressing is just a way to give a globally unique number to each device. It’s just a number.

And there wasn’t a real public/private distinction when the Internet was still in its infancy. Printers were indeed given “public” addresses because people needed a number for it.

If you don’t want your printer to be reachable by the public Internet, use a firewall to block outside connections. If you can use NAT, you certainly can use a firewall. Heck, they are almost the same thing if you have been using the Linux kernel (iptables/nftables handle firewalling and masquerading with the same tool!)

Routability is not the same as reachability. With NAT transversal you can reach my “private” hosts all the same, although you can’t route to me because I don’t have a public address.

@fedev@lemmy.world
link
fedilink
English
21Y

This is correct. My router however doesn’t have that level of firewall. It’s either all allowed or nothing is.

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 76 users / day
  • 109 users / week
  • 241 users / month
  • 850 users / 6 months
  • 1 subscriber
  • 1.53K Posts
  • 8.72K Comments
  • Modlog