| 7 Feb 2026 |
 Albert Larsan | Tbh I have my devices secured the same as for IPv4, ie services do not listen on 0.0.0.0 or :: if I want to keep them LAN-local or limited to localhost (also have firewalls, but they have holes for all the same ports) | 19:11:07 |
| Albert Larsan | My (ISP-provided) home router has a (quite strict) IPv6 firewall enabled by default, which I disabled because it was annoying | 19:12:24 |
 matthewcroughan @fosdem | so every device on your LAN is still reachable? | 19:13:56 |
| Albert Larsan | Yeah, but good luck finding them in the 2⁶⁴ sea of IPs they could have | 19:14:55 |
| Albert Larsan | And I have a personal router behind the ISP router that does ping rate-limiting | 19:15:44 |
| Albert Larsan | Before the (W)LAN is reached | 19:15:59 |
 K900 | Hmm you know what actually | 19:16:33 |
| K900 | networking.firewall.filterForward is a thing | 19:16:39 |
| K900 | And does basically just enough and just stupid enough for me to enable it | 19:16:47 |
| Albert Larsan | I think it would break my dn42 stuff though | 19:17:19 |
| K900 | Hmm actually this kinda sucks now | 19:19:59 |
| K900 | I guess I need miniupnpd | 19:20:32 |
| K900 | OK so | 22:04:10 |
| K900 | I fell down a fucking hole again | 22:04:13 |
| K900 | Our miniupnpd can't do IPv6 pinholing | 22:04:31 |
| K900 | This enables it in just the package; https://github.com/NixOS/nixpkgs/pull/488104 | 22:04:40 |
| K900 | Which is basically a no-op because it can't make anything worse | 22:04:47 |
| K900 | However, right now our firewall basically does ct status dnat accept | 22:05:44 |
| K900 | Which works for v4 because there is NAT | 22:05:49 |
| K900 | But not for v6, because pinholing is not NAT | 22:05:55 |
| K900 | And the miniupnpd chain is never actually hit | 22:06:04 |
| K900 | So uhhh | 22:06:13 |
| K900 | Thoughts | 22:06:14 |
 raitobezarius | not deeply familiar with pinholing but doesn't it have any conntrack correspondance? | 22:15:06 |
| K900 | Nope | 22:16:34 |
| K900 | It's basically just adding a rule for "ip daddr ... tcp dport ... accept" | 22:17:06 |
| K900 | You do it on the global IPv6 | 22:17:35 |
| K900 | So the default is to not forward anything into the LAN but a client can ask nicely | 22:17:47 |
| raitobezarius | so if this thing dynamically add a ip daddr X tcp dport Y accept, aren't you just missing ip6_forwarding=1 ? | 22:19:29 |
| K900 | The problem is that it's adding it to its own chain | 22:19:51 |
