MSGID:  7e99fc3b
REPLY: <10j462c$2t1h9$8@dont-email.me> 8616026f
PID: PyGate 1.5.2
TID: PyGate/Linux 1.5.2
CHRS: CP1252 2
TZUTC: 0000
REPLYADDR invalid@invalid.invalid
REPLYTO 3:633/10 UUCP
The Natural Philosopher  writes:
> On 31/12/2025 20:18, Richard Kettlewell wrote:
>> Pancho  writes:
>>> The Natural Philosopher wrote:
>>>> David Higton wrote:
>>>>> What I particularly like about IPv6 is that NAT/NAPT are simply not
>>>>> necessary
>>>> So making the implementation of a firewall absolutely mandatory
>>>>
>>>
>>> Linux IPv6 does appear to use random IPv6 address for outbound
>>> connections, which have a limited lifespan. This appears to be
>>> something like 1-7 days, but if very short lifespans were used it
>>> could offer a protection similar to NAT. I need to investigate a bit
>>> further, but I don't think IPv6 needs to be inherently less safe.
>>
>> NAT does not offer any protection. The reason that a typical domestic
>> NAT-equipped router protects you from inbound connections is that it
>> has a firewall as well.  (Getting a packet addressed to your internal
>> addresses to your external interface is inconvenient for many
>> attackers, for sure, but straightforward for your ISP or anyone who
>> can hack or coerce them.)
> 
> How?
> Genuine question.

Same as routing any other packet. Make sure there?s an appropriate
routing table entry for the customer addresses on the ISP?s
customer-facing router (and whatever intermediate routers there are
between that and the attack source), then call socket/connect/write.

The question is then what the customer router does with it.

* If it follows the strong end system then the packet is discarded
  before NAT even comes into the question.
  Linux follows the weak end system model by default, so this
  possibility doesn?t apply to Linux-based router unless someone has
  taken the trouble to change its behavior somehow.

* If there?s a basically competent firewall on the customer router then
  the packet is discard by that.

* If there?s a NAT then it gets to look at the packet, but it won?t
  match any of the rules that enable translation, so it will not be
  modified at this stage.

* All that?s now left is normal routing, so the packet passes on to its
  destination on the customer network.

https://www.greenend.org.uk/rjk/tech/nat.html has a worked example.

-- 
https://www.greenend.org.uk/rjk/

--- PyGate Linux v1.5.2
 * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 112 134 200 206 275 300 317 400 426
SEEN-BY: 229/428 470 616 664 700 705 266/512 291/111 292/854 320/219
SEEN-BY: 322/757 342/200 396/45 460/58 633/10 280 414 418 420 422
SEEN-BY: 633/509 2744 712/848 770/1 902/26 2320/105 5020/400 5075/35
PATH: 633/10 280 229/426