... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

comp.sys.raspberry-pi

Raspberry Pi computers & related hardwar

26,127 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 25,972 of 26,127

Richard Kettlewell to The Natural Philosopher

Re: RPi associating two IPs with its one

01 Jan 26 11:34:05

   From: invalid@invalid.invalid   
      
   The Natural Philosopher  writes:   
   > On 31/12/2025 20:18, Richard Kettlewell wrote:   
   >> Pancho  writes:   
   >>> The Natural Philosopher wrote:   
   >>>> David Higton wrote:   
   >>>>> What I particularly like about IPv6 is that NAT/NAPT are simply not   
   >>>>> necessary   
   >>>> So making the implementation of a firewall absolutely mandatory   
   >>>>   
   >>>   
   >>> Linux IPv6 does appear to use random IPv6 address for outbound   
   >>> connections, which have a limited lifespan. This appears to be   
   >>> something like 1-7 days, but if very short lifespans were used it   
   >>> could offer a protection similar to NAT. I need to investigate a bit   
   >>> further, but I don't think IPv6 needs to be inherently less safe.   
   >>   
   >> NAT does not offer any protection. The reason that a typical domestic   
   >> NAT-equipped router protects you from inbound connections is that it   
   >> has a firewall as well.  (Getting a packet addressed to your internal   
   >> addresses to your external interface is inconvenient for many   
   >> attackers, for sure, but straightforward for your ISP or anyone who   
   >> can hack or coerce them.)   
   >   
   > How?   
   > Genuine question.   
      
   Same as routing any other packet. Make sure there’s an appropriate   
   routing table entry for the customer addresses on the ISP’s   
   customer-facing router (and whatever intermediate routers there are   
   between that and the attack source), then call socket/connect/write.   
      
   The question is then what the customer router does with it.   
      
   * If it follows the strong end system then the packet is discarded   
     before NAT even comes into the question.   
     Linux follows the weak end system model by default, so this   
     possibility doesn’t apply to Linux-based router unless someone has   
     taken the trouble to change its behavior somehow.   
      
   * If there’s a basically competent firewall on the customer router then   
     the packet is discard by that.   
      
   * If there’s a NAT then it gets to look at the packet, but it won’t   
     match any of the rules that enable translation, so it will not be   
     modified at this stage.   
      
   * All that’s now left is normal routing, so the packet passes on to its   
     destination on the customer network.   
      
   https://www.greenend.org.uk/rjk/tech/nat.html has a worked example.   
      
   --   
   https://www.greenend.org.uk/rjk/   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]