Hi Bill, I would not consider IPv4 NAT to be much protection for someone trying to connect to your NAS either manually or by drive by automation. There are plenty ways to get into the network in a typical customer router setup, even without forwarding setup.
If you like IPv4 NAT, there is nothing stopping you to implementing it the same way with IPv6 too. With that knowledge - it would be pretty irresponsible to leave your NAS wide open for anyone from the web to connect to it, be it via IPv4 or IPv6. I believe that NAS, like any other computer these days has firewall. My NAS has firewall as well as my router. So it should help to configure it (both the NAS and the router) to know what your local network is and do not respond to random outside traffic, at the minimum. IPV6 provides for local network discovery, so your NAS, and other computers befind the router should definitely know what is local and what is outside traffic. Beside firewalling things and limiting things from being able to communicate, Kerberos can authenticat not only users, but also devices as well as to encrypt the traffic. Then you should be able to connect with your devices securely from anywhere. That ability to connect anywhere with ease, was the whole promise of this thing we call internet. Then came NAT and double/triple/.. NAT and instead of fixing protocols like SMTP, we got firewalls at ISP blocking stuff like port 25, ..... For me at least, IPv6 could not come fast enough. Tomas On Mon, 2017-11-06 at 16:38 +0000, Bill Weiss wrote: > I'd like to share a recent failure, in case I can help any of you not > have > the same: if you happen to have native IPv6 at home, please know that > the > GUI-configured firewall doesn't touch IPv6 at all. So, let's say your > devices are getting real IPv6 address as they should... they're just > out > on the internet. Is your NAS ready to be talked to by the internet? > > https://community.ubnt.com/t5/EdgeMAX/Time-Warner-Cable-Working-IPv6- > Configuration-with-IPv6-Firewall/td-p/1554856 > contained the magic bits I needed to make it work, starting with > "from > UBNT-stig" through the end of that block. > > A remote person _probably_ didn't guess the IP of my dumpy NAS and > exploit > it, but it's kind of hard to say, you know? > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
