Not the person you were replying too, but I was there when we had modems and raw-dogged the internet.
The average person clicks “Yes” on everything without reading it, has no idea what a firewall is, and they never update anything unless it does it without asking.
Having things accessible from outside your network is great if you’re a network nerd and that’s what you want, but most people are going to be in a world of unprotected shit. Especially in a world of pointlessly online devices. I don’t trust any of those fuckers to have their shit in order.
I would assume/hope the default setting for a consumer router would still be to drop incoming connections. That should suffice for the average person as long as ISPs don’t make it easy to disable that without actually understanding what the consequences are.
I would also assume that to be the default, but unfortunately the first Google search for “why doesn’t my smart fridge work from my phone when I leave the house” will be a set of instructions for turning that feature off.
NATs and port forwarding is annoying, but it’s also very manual, and only lets you fuck up one device at a time.
Then the instructions are bad. They should be how to open the firewall port for that device, which is almost the same as setting a NAT port forward, with the same limitation of only exposing one device.
If anything it makes me want routers to not even allow a blanket whitelist for all devices…
I would be fine with this. Make it as annoying as possible so people don’t blindly follow a guide to disable the firewall.
Remove firewall disable option, and only allow it to happen by DMZ or bridging to another router that would have it.
Require calling in to an ISP help desk, where they ask why you want to do that, and explain in no uncertain terms that you’re probably going to open a portal to hell or summon cthulhu. If you still want to, you have to read them out the device serial number, read out a unique code in the router admin interface, and wait a week for the option to become available.
Honestly the more I think about it the more I realize I’m wrong. I was thinking someone could enable a server on their client device without realizing it but the firewall on the router would still need to be modified in that situation, and anything not requiring firewall modifications would be just as much of a security hole on IPv4
Yeah it’s a common trip up. We’re all so used to the way that things are done in IPv4 that our natural response is to try and apply IPv4 logic to IPv6, but you’re absolutely right.
Many people think NAT is a security feature but but that’s only a coincidence and it doesn’t do anything a firewall doesn’t already do. And if we take it one step further we can actually see that a firewall and IPv6 is actually more secure than NAT. The only inherent risk of port warding in NAT is that the IP you’re forwarding to is ultimately arbitrary. Think, have a port open to SMB for a publicly accessible file sharing container, then later ditching it and via DCHP your laptop picks up that old IP and now voila you’ve technically exposed your laptop. It’s not quite that simple but that’s the essence of it.
But with IPv6, IPs are no longer arbitrary. When you allow access in certain ports to a certain machine and that machine goes away, that rule will always only allow access to nowhere.
Why would you think it wouldn’t work for the average Jane and Joe?
Not the person you were replying too, but I was there when we had modems and raw-dogged the internet.
The average person clicks “Yes” on everything without reading it, has no idea what a firewall is, and they never update anything unless it does it without asking.
Having things accessible from outside your network is great if you’re a network nerd and that’s what you want, but most people are going to be in a world of unprotected shit. Especially in a world of pointlessly online devices. I don’t trust any of those fuckers to have their shit in order.
I would assume/hope the default setting for a consumer router would still be to drop incoming connections. That should suffice for the average person as long as ISPs don’t make it easy to disable that without actually understanding what the consequences are.
I would also assume that to be the default, but unfortunately the first Google search for “why doesn’t my smart fridge work from my phone when I leave the house” will be a set of instructions for turning that feature off.
NATs and port forwarding is annoying, but it’s also very manual, and only lets you fuck up one device at a time.
Then the instructions are bad. They should be how to open the firewall port for that device, which is almost the same as setting a NAT port forward, with the same limitation of only exposing one device.
Yeah, but that’s going to involve knowing what the device is called on the router, or knowing what the address is.
I’m afraid the great age of computer literacy has come and gone.
If anything it makes me want routers to not even allow a blanket whitelist for all devices…
I would be fine with this. Make it as annoying as possible so people don’t blindly follow a guide to disable the firewall.
Remove firewall disable option, and only allow it to happen by DMZ or bridging to another router that would have it.
Require calling in to an ISP help desk, where they ask why you want to do that, and explain in no uncertain terms that you’re probably going to open a portal to hell or summon cthulhu. If you still want to, you have to read them out the device serial number, read out a unique code in the router admin interface, and wait a week for the option to become available.
Honestly the more I think about it the more I realize I’m wrong. I was thinking someone could enable a server on their client device without realizing it but the firewall on the router would still need to be modified in that situation, and anything not requiring firewall modifications would be just as much of a security hole on IPv4
Yeah it’s a common trip up. We’re all so used to the way that things are done in IPv4 that our natural response is to try and apply IPv4 logic to IPv6, but you’re absolutely right.
Many people think NAT is a security feature but but that’s only a coincidence and it doesn’t do anything a firewall doesn’t already do. And if we take it one step further we can actually see that a firewall and IPv6 is actually more secure than NAT. The only inherent risk of port warding in NAT is that the IP you’re forwarding to is ultimately arbitrary. Think, have a port open to SMB for a publicly accessible file sharing container, then later ditching it and via DCHP your laptop picks up that old IP and now voila you’ve technically exposed your laptop. It’s not quite that simple but that’s the essence of it.
But with IPv6, IPs are no longer arbitrary. When you allow access in certain ports to a certain machine and that machine goes away, that rule will always only allow access to nowhere.