this post was submitted on 25 Oct 2023
289 points (95.3% liked)

Technology

59111 readers
3528 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 2 points 1 year ago (1 children)

I'm curious and quite ignorant in networking, so excuse the questions.

How would the house devices communicate with each other?

In my home LAN behind a router and NAT, each device gets an internal IP thanks to DHCP. If I want to make my homeserver media server with DLNA available only internally, there's nothing I have to do. Just start it up with 0.0.0.0 and it'll be picked up (if I'm not mistaken by sending a multicast packet to the router). It's then possible for any smart TV in my home to pick it up, and my phone or computer with VLC don't need any configuration either.

And if I have a service that should be available to the world, port forwarding does it for me. Should a user want to torrent or use some P2P application, the router can also selectively enable UPnP to open ports for that user's device. It's not that complicated.

What is complicated that makes NAT worse for security? How would a gateway firewall improve it? Doesn't it have to keep track of connections too in order to know what's going on? For example just because a device (A) establishes a connection with an external one (B), doesn't mean that another external device (C) is allowed to use that port to communicate with the the internal device (A).
What else besides address translation falls away if you remove NAT?

[โ€“] [email protected] 2 points 1 year ago* (last edited 1 year ago)

For internal communication on IPv4, everything has some unique internal IP. There are blocks reserved for private space. Usually people use 192.168.x.x or 10.x.x.x. DHCP hands it the address.

If you wanted this to work in the IPv6 world, you are assigned a prefix by your ISP, and everything is inside that prefix. Services still have to discover each other by some mechanism. Perhaps by DHCPv6, or perhaps broadcasting their existence.

Port forwarding is only necessary with NAT. If you have a gateway firewall that blocks incoming new connections by default, then you will need to open the port going to a specific device. Current home networking "routers" combine port forwarding and opening the firewall together as a convenience, but there's no reason an IPv6 world would need to do that. UPnP can open the port the same way if you want that (though that's a whole other security issue).

In a home networking "router", the gateway firewall is already combined in. In fact, I'm putting the "router" in quotes because it's really a firewall with NAT and some other services like DHCP. It doesn't typically do things like BGP that we would normally see in a router outside of an edge network like your home. A router out there is an allow-by-default device.

Adding NAT to the gateway firewall makes the code more complicated. For example, here's a command on Linux that activates NAT for the iptables firewall:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

That "MASQUERADE" bit is handled as NAT, and iptables has to implement more code just to do that.

If we wanted to simply drop all new incoming connections, we would do:

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Which tells it to drop packets by default that aren't otherwise accepted, and then accept packets that are already part of a connection. Even with NAT, we typically want to do this, anyway, so we're not making things any easier with NAT.

If we want to add a service listening on port 80 for host 10.0.0.5, we would do:

iptables -A INPUT -p tcp -d 10.0.0.5 --dport 80 -j ACCEPT

Which works just fine in a NAT-less world. With NAT, we also have to add this:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.5
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 10.0.0.1 -j SNAT --to-source 10.0.0.5

Which translates the stuff coming in from outside to port 80 to 10.0.0.5 on the same port, and then also translates replies going back the other way. And I might be getting some of the commands wrong, because it's been a while since I've had to configure this.

Suffice it to say, dropping NAT greatly simplifies firewall rules. Your home router is still doing all this (many of them are just Linux iptables these days), but it's hiding the details from you.

Edit: This doesn't cover how protocols have been designed to work around NAT, and has resulted in a more centralized Internet that's easier to spy on. That's a whole other problem that is hidden from most people.