Conversation

Notices

1. Embed this notice
   Tetra (tetra@meowcity.club)'s status on Tuesday, 23-Jan-2024 06:10:35 JST Tetra
   Yea
   I do wonder whether NAT actually prevents devices outside the LAN from making connections to a device inside the LAN without specifying internal IP addresses or smth
   If not, I'm curious how
   
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 23-Jan-2024 06:10:34 JST Haelwenn /элвэн/ :triskell:

     in reply to
     @tetra @novenary See NAT-punching and UPnP (most home-routers have this, allows a "temporary" port forward so things like VoIP can work), you typically don't give a specific local IP address for this though, that's more when you found something which could be used as a proxy (which is exactly when firewalls become needed, to allow/deny specific connections).
     
     Also UDP is a rather fun one NAT-wise because it doesn't have connection-tracking capabilities, so the port-association between the router and the local machine tends to linger around.
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Tuesday, 23-Jan-2024 08:59:56 JST Wolf480pl

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @lanodan @novenary @tetra
     Also, the primary reason preventing those outside from sending unsolicited packets to hosts behind the NAT is that routers outside don't know where to route the private IPs that are used behind the NAT.

     But if you sit on the same network segment as the NAT box's WAN port, you can send a packet directly to it with private IP as a destination, and it will forward that into the LAN.

     Unless it also has a firewall (it should)

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 23-Jan-2024 09:13:57 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Wolf480pl
     @wolf480pl @novenary @tetra Right, although ending up on the same network segment as someone else router is probably rare.
     
     Meanwhile I'd say most people really ought to have proper firewalls at home because of things like embedded/IoT devices* which should often be entirely isolated from the internet or at the very least restricted from it, plus maybe also other parts of your network.
     They tend to end up in botnets due to their centralised management, often deal with quite personal/sensitive data, and are often completely forgotten because we think of them as appliances. Home networks need to get better than moat-style thinking of security.
     
     *I'm counting printers, TV set-top-boxes, video game consoles, … in that category btw