this post was submitted on 26 Feb 2024
62 points (93.1% liked)

Selfhosted

40183 readers
506 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it's almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 49 points 8 months ago* (last edited 8 months ago) (5 children)

NAT provides some measure of security as pure coincidence to how it works. It is not designed or intended to provide security. It does not inspect packet payloads in order to filter them for security. It looks at the header and attempts to route it to an internal IP address (your devices on your LAN) and if it cannot, it will drop the packet because the header will only have the external IP address -- the packet has no idea which device it is supposed to go to. Forwarding a port is telling the NAT to assume that when a packet hits a certain port, if it doesn't know the destination internal IP, forward it to some internal IP anyway.

The reason you can connect to websites, ssh outside, FTP, whatever, is because your connection comes from your internal IP first to some other IP and therefore, NAT knows which internal IP to route those packets to.

Take for example this scenario:

You download some software. It has malware that provides command and control (C2) to someone else outside of your network. A firewall and/or antivirus may be able to stop this and hopefully notify you. NAT will not help here. Furthermore, if you have uPNP enabled (usually it is by default on your router) the malware can forward any ports through your NAT to the compromised device opening it up to bot attacks and the like.

Another scenario:

You want to play a video game with you and your friends and you're going to host it. So either you manually forward those ports or perhaps uPNP just does it for you. That game has an exploit known by attackers, or perhaps it can just be DDoS'd. Your NAT isn't going to stop that. Hopefully a firewall will help you here. It definitely will if you set up explicit rules so that if they aren't your friend's IPs it will drop them. Though it is possible the game is exploitable and your friend's are compromised.

Take for example malware has been known to spread via Minecraft.

[–] [email protected] 1 points 8 months ago (3 children)

IPv6 usually have unique IP addresses (non-local) for every device in the network. does that mean it will malicious actors can target a device specifically inside a network?

[–] [email protected] 3 points 8 months ago* (last edited 8 months ago)

Depends on if there's an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.

Currently, there's still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn't really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you're contributing to the botnet.

As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn't route to my IPv6. My router doesn't care. It'll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.

I'd imagine that's true for most people at home.

[–] [email protected] 2 points 8 months ago

The global IPv6 address is usually not directly reachable from the internet for incoming traffic. There's still the router with a firewall which blocks all incoming connections, so having an IP for each device doesn't make a difference for security.
With IPv6 ports still have to be forwarded on consumer routers by default, the main difference is that it doesn't have to be translated to a different IP.

This also means I can have multiple hosts on my home network listening on the same ports, because their public IP's are different.

[–] [email protected] 1 points 8 months ago

I haven't setup an IPv6 network yet, but it'd have to physically traverse the packet through your router to reach the connected device still. I imagine a router would still be able to use it's firewall to drop the packet before it gets sent to the endpoint device.

load more comments (1 replies)