this post was submitted on 24 Jun 2024
676 points (97.9% liked)

Programmer Humor

32479 readers
272 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] AceBonobo@lemmy.world 1 points 4 months ago* (last edited 4 months ago) (1 children)

I still have to initiate the outgoing UDP. Are you talking about the specific case where any software running on my host can initiate it without me requesting?

Edit: apparently NAT is full of security bugs

[–] skullgiver@popplesburger.hilciferous.nl 3 points 4 months ago (1 children)

In the instance of UDP handshakes yes, you need local software to initiate the connection on one of your devices somewhere (I highly doubt that your home router verifies the origin of those packets, so a hacked printer or IoT crap can open ports to your desktop no problem). Other problems are harder to solve.

NAT is great at what it does, but it does not guarantee security. It blocks straightforward attacks, but brings in tons of edge cases and complexity that sophisticated attacks can abuse. At the same time, the same security can be achieved using IPv6 and a firewall without all the complexity.

It's a neat workaround that means you don't need to mess with subnetting and routing tables when you do stuff like run virtual machines and when your ISP doesn't offer IPv6. It was designed so larger businesses with 10 machines could access the internet without spending a lot of money on a /30, not to replace firewalls, and it still works well for what it's designed to do.

[–] AceBonobo@lemmy.world 1 points 4 months ago

Understood. CG-NAT has been so annoying, I would love for IPv6 to completely replace v4 ASAP