zlacker

>>mouse_+(OP)
Back in the days of blaster, if you were connected to a network with infected machines or had a public IP address because you were connected straight into your cable modem, you would get infected in the windows installer before it finished installing. Nowadays, everything is behind NAT and there aren't any infected Windows XP machines left on your local network, so that's not a problem anymore.

>>jmgao+rb4
For some reason whenever somebody suggests that NAT might have security benefits, there is usually some hysterical screeching about how that isn't true. Often seen in IPv6 discussions.

>>lupusr+cd4
because it's unnecessary to get the same benefit. Being behind a firewall would have the same effect (and any ipv6 deployment will have this), it's just that NAT requires this. It's like saying eating a spoonfull of cinnamon has health benefits because it hydrates you when you have to drink a glass of water afterwards: you could just drink the water.

>>rcxdud+1f4
I don't quite understand what you mean by "any ipv6 deployment will have this". When my ISP switched to IPv6, my internal devices were exposed to the internet and the only thing that stopped the incredible amount of bot traffic was my own on-device firewall that I explicitly turned on and configured. Luckily I don't have any smarthome stuff, not sure how I'd configure a firewall on a lightbulb. These devices didn't have a public IPv4 before that. And a bonus - the ISP didn't say anything about this possible consequence, just "we're making some changes".

NAT has more benefits - I don't want anyone to know how many devices I have at home, I don't want anyone to know which one I'm using to access their website, I don't want anyone to try guess the OS and version of my devices, etc. And now I'm scared to have a simple DLNA media server because I can't just install WireGuard on the TV. I'm probably going to buy a router and make my own NAT soon (don't have access into the ISP modem).

I felt better when the whole municipality had a single IP address. A lot of bullshit ads - means the targeting wasn't working. Now they're way too good.

>>throwa+7i4
Well, that sounds like a colossal misconfiguration on the ISP's part. A firewall blocking incoming requests has been standard part of ISP routers for a long time.

>>rcxdud+Ll4
On the other hand... What exactly is the benefit of IPv6 then? I thought the point was to make all my devices addressable on the public internet. How is it useful if the ISP firewall blocks my servers?

And yes, incompetent ISPs are the norm.

>>throwa+6s4
Without bidirectional NAT, hole-punching works. Two sides of a p2p connection can coordinate with an intermediary to learn each other's addresses. They send each other a packet, which gets dropped by the other side. Their firewall sees the outgoing packet though, and opens the port. The next time they send each other packets, they will be allowed through. The intermediary is only needed to do the initial handshake instead of for all packets.

With NAT, it doesn't work because the ports get remapped, and the intermediary doesn't know how they will get remapped on the p2p connection, so they can't coordinate to send on the correct ports to open the firewall.

Or UPnP can work. By default, your router drops incoming packets on all ports. If you want to e.g. run a game server, then on startup, it hits a standard API to tell the router to forward that one port. On shutdown, it can tell it to close the port (you could potentially also have the router require keepalives to keep the forward alive. I'm not familiar with the details of UPnP and related protocols).

Without a public IP, you need intermediate servers to relay all traffic to you, which centralizes the web. With p2p working, you can e.g. have high quality video calls with friends/family instead of dealing with the garbage quality tech companies allow. Or I can share with my mom photos of her grandkids with effectively unlimited storage; for 2 years of 2 TB Google storage, I can buy 20 TB of disks.