Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> what type of device are they

Almost all of my computers, including my phone, are behind wireguard on a globally routed /64 IPV6 virtual network.

It's a bit of a pain for some sites who do not offer a V6 addie via DNS, but it's extremely flexible and offer tons of other advantages.

Specifically, NAT is basically a thing of the past and any of my devices can talk to all of my other devices by establishing a simple TCP connection or shooting a UDP packet at them.

I can also access all of my devices from wherever I am connected to the internet, as long as the device has a globally routed V6 addie.



>as long as the device has a globally routed V6 addie

I was waiting for the catch, and I was not disappointed.


One badly behaving device and your whole network is a screaming blip on the radar that is easily tracked.

Any internet device of mine would immediately go into a quarantine subnet. It is a feature not a bug.


No catch: my phone is on VPN and therefore has full V6 connectivity.


If you don’t mind, how did you set this up? I’d love to play around with this sort of thing but I’m a bit of a networking newbie.


This sounds like the 90s when not using a router.

Don’t you need a basic router/nat to protect your systems?


> Don’t you need a basic router/nat to protect your systems?

You are under the mistaken impression that your router / NAT protects you.

It doesn't. It may mitigate some of the most basic attacks, the ones what were cutting edge in the 90s.


It does by not exposing the ports that aren't meant to be and only routing the traffic intended down to the local network.


> Don’t you need a basic router/nat to protect your systems?

No, not really. It's no longer the 90s so tcp/ip stacks aren't easily crashed. And it's no longer the 90s, so no services are listening by default or it's say openssh which isn't easily crashed either (you may want to consider if you want to accept passwords via ssh though).

Additionally, decent OSes will rate limit responses to pings and SYNs and what not, so you won't be a good reflector out of the box.


You could have a VNC in LAN without password but forgot to limit the source IP.

And the way you say, you need a "decent OS" to avoid flood attacks without tinkering, whichever OS that is.


> You could have a VNC in LAN without password but forgot to limit the source IP.

Sure, but that's not by default. You've got to take affirmative steps to enable that; although it's certainly easier to listen without limiting the source than to do it right.

> And the way you say, you need a "decent OS" to avoid flood attacks without tinkering, whichever OS that is.

Yeah, I just don't know for sure what's decent. I have no problem putting FreeBSD out on the internet without a firewall, and I think Linux would be ok too; but I wouldn't put MacOS if it's got any tcp listening ports, because it can be easily SYN flooded, and I'm not sure off hand if it has ICMP limits. If you put Windows on the internet and tell it it's a 'public' network, it'll run a firewall and you should probably be pretty ok (again, as long as you don't misconfigure applications)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: