← Back to context

Comment by tadfisher

10 hours ago

> If each of my devices gets an Internet routable IPv6 address, at that point, that security-as-a-side-effect is not guaranteed unless my router has a default-deny firewall. I would hope that any routers would ship with that.

They usually do, and they also ship with the most wonderful technology ever specified within a 67 MB compressed archive [0]: UPnP! Now your attacker's job is to convince you to initiate an outgoing connection, which automatically forwards an incoming port to your device behind the NAT and bypassing the router's default-deny firewall! Nothing has ever gone wrong with a zero-configuration port-forwarding protocol from the 1990s rammed through the ISO!

[0]: https://openconnectivity.org/developer/specifications/upnp-r...

4 comments

tadfisher

Reply
Sohcahtoa82  6 hours ago

That's an entirely different attack scenario. To succeed at that attack, my computer would already need to be running malware. At that point, they've already won.

  • ImPostingOnHN  5 hours ago

    Or you visit a webpage that makes a request to an arbitrary server on an arbitrary port while not running a default-deny application firewall

    • Sohcahtoa82  5 hours ago

      I don't believe that opens a port to accept an incoming connection.

      Even if it did, a web page making a request can't control the source port for the connection. They still couldn't make a local network service exposed to the Internet.

      1 reply →