MSGID: <10j5o6e$3etcd$2@dont-email.me> 24f5d47f   
   REPLY:  7e99fc3b   
   PID: PyGate 1.5.2   
   TID: PyGate/Linux 1.5.2   
   CHRS: CP1252 2   
   TZUTC: 0000   
   REPLYADDR tnp@invalid.invalid   
   REPLYTO 3:633/10 UUCP   
   On 01/01/2026 11:34, Richard Kettlewell wrote:   
   > The Natural Philosopher  writes:   
   >> On 31/12/2025 20:18, Richard Kettlewell wrote:   
   >>> Pancho  writes:   
   >>>> The Natural Philosopher wrote:   
   >>>>> David Higton wrote:   
   >>>>>> What I particularly like about IPv6 is that NAT/NAPT are simply not   
   >>>>>> necessary   
   >>>>> So making the implementation of a firewall absolutely mandatory   
   >>>>>   
   >>>>   
   >>>> Linux IPv6 does appear to use random IPv6 address for outbound   
   >>>> connections, which have a limited lifespan. This appears to be   
   >>>> something like 1-7 days, but if very short lifespans were used it   
   >>>> could offer a protection similar to NAT. I need to investigate a bit   
   >>>> further, but I don't think IPv6 needs to be inherently less safe.   
   >>>   
   >>> NAT does not offer any protection. The reason that a typical domestic   
   >>> NAT-equipped router protects you from inbound connections is that it   
   >>> has a firewall as well.  (Getting a packet addressed to your internal   
   >>> addresses to your external interface is inconvenient for many   
   >>> attackers, for sure, but straightforward for your ISP or anyone who   
   >>> can hack or coerce them.)   
   >>   
   >> How?   
   >> Genuine question.   
   >    
   > Same as routing any other packet. Make sure there?s an appropriate   
   > routing table entry for the customer addresses on the ISP?s   
   > customer-facing router (and whatever intermediate routers there are   
   > between that and the attack source), then call socket/connect/write.   
   >    
   > The question is then what the customer router does with it.   
   >    
   > * If it follows the strong end system then the packet is discarded   
   >    before NAT even comes into the question.   
   >    Linux follows the weak end system model by default, so this   
   >    possibility doesn?t apply to Linux-based router unless someone has   
   >    taken the trouble to change its behavior somehow.   
   >    
   > * If there?s a basically competent firewall on the customer router then   
   >    the packet is discard by that.   
   >    
   > * If there?s a NAT then it gets to look at the packet, but it won?t   
   >    match any of the rules that enable translation, so it will not be   
   >    modified at this stage.   
   >    
   Ah. I misunderstood your original post.  Sure the ISP can send an    
   internally addressed packet to your router. If it wants to lose its    
   customer base.   
      
   But will that get forwarded along?   
      
   > * All that?s now left is normal routing, so the packet passes on to its   
   >    destination on the customer network.   
   >    
   > https://www.greenend.org.uk/rjk/tech/nat.html has a worked example.   
   >   
   I can't believe that my router  would accept arbitrary  packets with an    
   internal destination address on its external facing port...if the    
   destination is not in its tables, it will be automatically discarded...   
      
      
      
   --    
   "In our post-modern world, climate science is not powerful because it is    
   true: it is true because it is powerful."   
      
   Lucas Bergkamp   
      
      
   --- PyGate Linux v1.5.2   
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 112 134 200 206 275 300 317 400 426   
   SEEN-BY: 229/428 470 616 664 700 705 266/512 291/111 292/854 320/219   
   SEEN-BY: 322/757 342/200 396/45 460/58 633/10 280 414 418 420 422   
   SEEN-BY: 633/509 2744 712/848 770/1 902/26 2320/105 5020/400 5075/35   
   PATH: 633/10 280 229/426