this post was submitted on 12 Jun 2023
208 points (96.4% liked)

Lemmy.World Announcements

29166 readers
31 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news 🐘

Outages πŸ”₯

https://status.lemmy.world

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to [email protected] e-mail.

Report contact

Donations πŸ’—

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Ko-Fi (Donate)

Bunq (Donate)

Open Collective backers and sponsors

Patreon

Join the team

founded 2 years ago
MODERATORS
 

I see that lemmy.ml is the only major instance currently reachable over IPv6. When will lemmy.world join the modern internet?

you are viewing a single comment's thread
view the rest of the comments
[–] taco_ballerina 11 points 2 years ago (2 children)

Slightly off topic, but perhaps you can point me in the right direction. I recently upgraded my home router/NAT firewall to one that runs pfSense and it now supports IPv6. I was slightly horrified to find that DHCP had assigned all my devices IPv6 addresses and that they were all publicly routable. Comments online seemed to indicate that in order to protect devices on my local network from being probed by external entities I'd have to create custom firewall rules. I know just enough to know I didn't want to do that as the likelihood of doing it wrong and compromising security far outweighed any benefit I'd see from IPv6. The only other option was to disable all IPv6 traffic at the firewall.

What am I missing here? Is it intended that regular home users have their printer, which the manufacturer hasn't seen fit to update since Bush Jr. was president, exposed to the entire Internet? Is it that the IPv6 space is so large that port scanning for vulnerable machines is like finding a needle in a haystack?

[–] Perhyte 11 points 2 years ago

Generally this isn't an issue for home users. Pretty much every home router defaults to denying incoming connections but allowing outgoing ones, for both IPv4 and IPv6.

In both cases you can of course configure the router to allow incoming connections on certain ports and (for IPv6) IP addresses (unless you're behind CGNAT), but it's almost never the default.

For IPv4 this happens to be a necessity of NAT: without additional configuration, the router simply doesn't know which device is being addressed because they all use the router's IPv4, so it can't forward it. For IPv6 this is a good and extremely common default firewall configuration, especially for routers intended for connecting private networks to the Internet.

The only real difference is that for outgoing IPv4 connections they typically all come from the same IPv4 (as seen from outside the local network) while for outgoing IPv6 you can potentially distinguish^1^ between different devices.

^1^: Not reliably, mind you: a device can have multiple IPv6 addresses, and many default to changing the one they use for outgoing connections every so often. Theoretically they could even re-use one that was previously used by another device, but that's vanishingly unlikely unless specifically configured to do so.

[–] Redex68 1 points 2 years ago* (last edited 2 years ago) (1 children)

~~In general, you should probably turn on your router's NAT even for IPv6. What you mentioned is a security concern, and while yes, the IPv6 address space is enormous and finding a valid address is hard, if somebody already knows your IPv6 address it's a lot easier. For a home user there isn't really a reason for your ports to be accessible from the outside, and if you need such a thing, you can easily port forward specific ports~~.

edit: To add to that, turning on your router's NAT isn't a problem, you can always port forward, the problem with IPv4 is that you're behind two NATs, your router's and your ISP's. Because of this, you can't actually open up any port to be publicly visible on the Internet, which is extremely frustrating.

edit edit: Reply to my comment pointed out that what I suggest is retarded.

[–] [email protected] 12 points 2 years ago (2 children)

In general, you should probably turn on your router’s NAT even for IPv6.

No, you should not! NAT is not needed with IPv6 and you should never use it unless you really know what you are doing.

NAT is not a security feature, firewalls are, the default firewall rules from consumer routers are generally enough (allow outgoing, deny incoming except if it's an existing connection). And if you're concerned about others tracking hosts inside your network, the default settings of Privacy Extensions makes your device assign itself different IPs for outgoing connections every so often.

[–] Redex68 1 points 2 years ago

Thanks for pointing out. By NAT there I meant symmetric NAT which by my understanding would fix that problem as well.

But you're right, NAT wouldn't make sense, you could just add some rules to the firewall.