Comment by fsh
19 days ago
If your router had only NAT and someone (i.e. your ISP) sends it a package addressed to somewhere inside your internal IP range, it will happily forward it. A firewall would block it.
19 days ago
If your router had only NAT and someone (i.e. your ISP) sends it a package addressed to somewhere inside your internal IP range, it will happily forward it. A firewall would block it.
Who exactly is going to route/send an RFC1918 address to an Internet gateway?
Are you implying your ISP itself is going to do this? Because the Internet at-large doesn't have routes for your internal address space.
> Who exactly is going to route/send an RFC1918 address to an Internet gateway?
The GP is talking about 1:1 'basic' NAT:
* https://datatracker.ietf.org/doc/html/rfc2663#section-4.1.1
The same problem applies to masquerading. Routers are happy to route packets they receive, and NAT (in whatever form) isn't the tool you use to drop those packets.
If there is more than one machine behind the NAT which one would it forward it to? This hypothetical simple NAT without firewall AFAICT doesn’t exist in reality, even if it exists in specs. I don’t see how it actually could.
Does your ISP attack you often?
Find me a consumer IPv4 router sold in the last ~10 years that does that by default.
Security comparisons should be between proposed new tech vs. existing tech, not vs. hypothetical straw-man tech.
Find me a consumer IPv6 router sold in the last ~10 years without a restrictive firewall enabled by default. I have never seen one.
Ugh, this is part of the reason why I left them, but https://free.fr still does this AFAIR. They were deploying IPv6 to all their consumers well before the other ISPs (more than 15 tears ago), but they have stagnated since.
IPv6 firewall disabled by default. There is only one config for the firewall: on / off. Accept all inbound or reject all inbounding.
To think that they used to brand themselves as "for the geeks", with reverse DNS customization, built-in user-configurable server on the router (all of their routers offer a Wireguard VPN, torrent client, audio output with DLNA & others), a m3u for IPTV, etc. I wouldn't advise anyone to use them due to this issue.
This ticket said they would reopen an internal ticket, back in 2022: https://dev.freebox.fr/bugs/task/27613
Their basic firewall dates back to 2019: https://dev.freebox.fr/bugs/task/27268 (a lot of spam in the replies there). There was none before, and it is still off by default.
This is no small ISP either, they have more than 50 millions clients (including mobile), and are in the top 10 ISPs in Europe. Baffling.
Mine lol. My ISP sent a Nokia Beacon 3.1. When I first logged into its web GUI, it had a "Security" tab with these dropdowns.
Security level
High: Traffic denied inbound and minimally permit common service outbound.
Low: All outbound traffic and pinhole-defined inbound traffic is allowed.
Off: All inbound and outbound traffic is allowed.
It was actually set to "Off" interestingly enough.
1 reply →
Consumer IPv4 router has both firewall and NAT enabled by default, and such packet is blocked by its firewall functionality.
Okay, I'm running tcpdump on my desktop. Send me some packets to 192.168.1.127 and I'll watch out for them.