Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 09:15:24PM +0000 Quoting Matthew Walster (matthew@walster.org):
Why should we burden ourselves with this cumbersome and painful, useless layer of abstraction that is "port forwarding", when the choice of universal reachability is around the corner?
Because it's a REALLY bad idea to have unmanaged devices reachable from the open internet. Dial-out, not dial-in. You need a firewall. You need a way of punching holes in that firewall for services you explicitly allow, be that manually through an interface, or temporarily via an automated system like upnp/nat-pmp.
It's like you did not read the next part.
If people can set a port forward up, they can click "allow" in a routing-based firewall interface. Only it is better, because one can have several parallel services using well-known ports. Sometimes (most of the time) the protocol spec has no option to change port either, making port forwarding futile anyway. (the let's have a TXT record bunch at it again, purposefully ignoring SRV since its inception.)
It's not always people. Lots of games, lots of telephony things, services like Syncthing... They all open firewall holes (yes, NAT is a firewall) to allow inbound connections for specific conditions, like "this protocol and port combination".
You obviously read it. Now I'm confused.
You are not. I'm glad my internet connected light bulbs are controlled by the Australian firm that manufactures them and the American firm that has a surveillance device in my kitchen listening for the immortal words "turn on the living room lights", rather than Billy* from Doncaster who's looking for something funny to do after losing at CS:GO again and happens to have found a list of IP addresses of known vulnerable devices accessible from the internet.
( I'd rather not have my lighting in the cloud. But I'm strange like that. ) Routing and allowing traffic are choices. Only that people with unusable non-unique addresses don't get to make those choices. One can probably find quantitative research stating that letting people handle their IT security makes for less secure systems, and from that standpoint argue that they don't deserve the choice. To me, that is elitist and condescending (And I oughta know condescending, I'm quite good at it.) and I think we could do better. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 I want another RE-WRITE on my CEASAR SALAD!!