« BackRouter Securityroutersecurity.orgSubmitted by blueridge 5 hours ago
  • yjftsjthsd-h 2 hours ago

    So I think this is mostly reasonable advice, but I do have to question disabling ICMP/ping and IPv6. I'm not aware of any actual attack that ping allows? And IPv6 should be fine if you have a firewall (which I would rather expect any regular COTS consumer router to have). The link on that suggestion describes a very specific problem where your router is also your WiFi AP and uses the old approach of just shoving the entire MAC address in to its v6 address, but am I wrong in thinking that it would be weird to see that actually happening in a new router, where new is "still getting security updates"?

    • o11c an hour ago

      If you haven't updated your kernel since 1998, you may be vulnerable to the Ping of Death.

      (I'm 90% sure this is the origin of this advice)

      • fourfour3 an hour ago

        I'd agree - IPv6 is only going to get more important from now. Especially with ISPs doing rollouts paired with moving v4 to address conserving mechanisms like CGNAT.

        The short list looks pretty sensible to me with those two exceptions. The long list gets a bit paranoid for me at the end - especially 32 onwards or so.

        • bbarnett a minute ago

          I'd agree - IPv6 is only going to get more important from now.

          Yes, but while not inaccurate, I've heard this since 2000.

        • bogantech 2 hours ago

          People who block ping should get swirlies

          • LargoLasskhyfv 2 hours ago

            I'd rather swirl pings from the outside, from people who have no business at all to know about my internal infrastructures. Just GTFO.

            • bogantech 2 hours ago

              If your internal infrastructure is not internet routable nobody would be able to ping it anyway

              • yjftsjthsd-h an hour ago

                How would somebody ping your internal network from the outside? Your firewall should block the ping getting past the router, regardless of the external interface responding.

                That said: Who cares? Even if you published exact list of every single IP on your network, it doesn't do an attacker any good, because again, there's a firewall between them and your devices.

                • HeatrayEnjoyer 33 minutes ago

                  Network metadata is sometimes valuable all by itself. Investment firms buy satellite imagery to identify the number and models of cars in corporate parking lots, for better inferring internal business conditions. Frequency of pizza deliveries to the Pentagon revealed when major ops were taking place.

                  A private network will ideally present as an opaque black box to the outside.