logoalt Hacker News

dotancohenlast Saturday at 10:57 AM2 repliesview on HN

  > It's called a firewall. You want a firewall. IPv6 also has a firewall. NAT is not a firewall.
With NAT, I absolutely know my ESP32 is not vulnerable and exposed on the wild wild web. With a firewall, I may have a configuration issue or there might be a bug in the implementation or there might be some UDP nuisance I didn't know about or a dozen other concerns. I don't want to hire a network admin not play one at home.

Replies

blueflowlast Saturday at 11:23 AM

Your router will open up any port for an ephemeral forwarding if the traffic looks like that forwarding is warranted. Any application can open arbitrary inbound pathways. "Application" also includes the Javascript you run in your Browser. Which is externally controlled.

Security folks call those techniques "hole punching" but they are how NAT is expected to work.

KaiserProlast Saturday at 11:10 AM

> With NAT, I absolutely know my ESP32 is not vulnerable and exposed

I mean thats not actually true, uPnP will open ports up, as will misconfiguration.

The firewall is still the same in ipv6 vs 4, and has the same problems.

show 1 reply