On 4/5/22 12:57 pm, tomas@tuxteam.de wrote:
On Wed, May 04, 2022 at 04:27:52AM +0800, Jeremy Ardley wrote: [...][...] NAT in itself provides quite good security because internal hosts can't be scanned by attackers.Uh, oh. I think general opinion these days disagree with this statement strongly (see e.g. [1], but this has been rough consensus since at least the 2000s).
Your consensus is 20 years old. Times moveNatural evolution has developed standard features in routers that out of the box are 'good enough' for SOHO implementations.
That is when you plug it in and connect to your home LAN you can reasonably expect your LAN won't be compromised in 5 minutes or even 5 years of persistent attacks.
The only problem is when the enthusiastic owner starts opening ports to allow internal mail or web, or even just to run some games. This problem will also occur when you have the latest fancy dandy firewall. It is users who are insecure, not NAT or routers as such.
More interesting is IPv6 which many ISPs now offer. Modern routers know about Prefix delegation and all your windows hosts will automatically pick up IPv6 Addresses. These are 'raw' on the internet, no NAT involved. It will depend on your router firewall on how well protected you are.
In the IPv6 case, modern Windows machines all have inbuilt firewalls that work reasonably well. Linux systems are variable in firewall configuration and may not be as well protected.
I run my own Armbian dual homed router that does the IPv6 stuff and I have a reasonable set of ip6tables rules to allow specific hosts to provide IPv6 services on well known addresses (ie in DNS) but at the same time protect most other hosts from any unsolicited IPv6 Traffic.
If I was still in the 90s I'd set up a DMZ blah blah. Now I just expose services on the router using HA proxy for IPv4 Stuff and specific rules for IPv6. I also run a postfix instance on the router for IPv4 connectivity.
Jeremy
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature