So I was looking into getting port forwarding set up and I realized just how closed-off the internet has gotten since the early days. It’s concerning. It used to be you would buy your own router and connect it to the internet, and that router would control port-forwarding and what-have-you.

Now, your ISP provides your router, which runs their firmware, which (in my case) doesn’t even have the option to enable port forwarding.

It gets worse - because ISPs are choosing NATs over IPv6, so even if you install a custom firmware on your router without it getting blacklisted by your ISP, you still can’t expose your server to the internet because the NAT refuses to forward traffic your way. They even devise special NAT schemes like symmetric NAT to thwart hole punching.

Basically this all means that I have to purchase my web hosting separately. Or relay all the traffic through an unnecessary third party, introducing a point of failure.

It’s frustrating.

I like to control my stuff. I don’t like to depend on other people or be in a position where I have to trust someone not to fuck with my shit. Like, if the only thing outside my apartment that mattered to my website was a DNS record, I’d be really happy with that.

Edit: TIL ISPs in the US don’t have NATs

Edit 2: OMG so much advice. My knowledge about computers is SO clearly outdated, I have a lot of things to read up on.

Edit 3: There’s definitely a CGNAT involved since the WAN ip in the router config is not the same as the one I get when I use a website that echos my IP address. Far as I can tell my devices don’t get unique IPv6 addresses either. (funnily enough, if I check my IP address on my phone using roaming data, there’s no IPv6 address at all). It’s a router/modem combo, at least I think since there’s only one device in my apartment (maybe there’s a modem managing the whole complex or something?). And it doesn’t have a bridge mode, except for OTT. Might try plugging my own router into it, but it feels like a waste of time and money from what I’m seeing. Probably best to just host services over a VPN or smth.

Edit 4: Devices do get unique IPv6 addresses, but it’s moot since I can’t do anything but ping them. I guess it wouldn’t be port forwarding but something else that I would have to do that my router doesn’t support

  • @FMT99@lemmy.world
    link
    fedilink
    English
    211 months ago

    I have ports open (to receive backups from my other servers) but only to connections from specific ip addresses and only port 22 using a pub key (no password) I’d be hesitant to open port 80 to the public though.

    Then again I’ve run a small public web server for well over a decade and never had any issues with hackers.

    • ⲇⲅⲇ
      cake
      link
      fedilink
      English
      0
      edit-2
      11 months ago

      I’ve run a small public web server for well over a decade and never had any issues with hackers.

      It’s never late to get hacked or an attack or a problem with your ISP router firmware. I don’t think that’s an excuse.

      receive backups from my other servers

      You can simply do cronjob and scp user@server:/path/to/backup . to get things from server to your local network, I don’t see the need to expose your router to the public. For a web server, there are cheap VPS providers for less than 5 dollars a month, and you save up energy, hardware, and improve safety at home.

      • @lud@lemm.ee
        link
        fedilink
        English
        111 months ago

        Why use your ISPs router then? Just buy your own.

        And a webserver is probably the safest thing to put online.

        You can also put the server in a DMZ and or use reverse proxy’s and a bunch of other stuff.

        • ⲇⲅⲇ
          cake
          link
          fedilink
          English
          111 months ago

          I already have my own router, even if a web server is safer, you are still exposing your IP which is what I don’t want to do. DMZ doesn’t solve anything, is just worse than setting up a port forward as you are opening all the ports to the server at home, your server at home has access to all your network so once infected by any 0-day exploit, you are fucked up.

          I just hire online servers and I have my own Ansible playbooks to manage those servers, this way I don’t provide my real IP (my home) to anyone.

          • @lud@lemm.ee
            link
            fedilink
            English
            1
            edit-2
            11 months ago

            as you are opening all the ports to the server at home, your server at home has access to all your network so once infected by any 0-day exploit, you are fucked up.

            No, the entire point of a DMZ is to insulate a device from the rest of the network and you can (should) configure which ports that are forwarded to the DMZ, don’t just forward everything. You can (should) also configure a bunch of other normal firewall rules for the DMZ.

            Personally I don’t consider “exposing” your home IP to be a big deal. It’s just an IP.

            • ⲇⲅⲇ
              cake
              link
              fedilink
              English
              1
              edit-2
              11 months ago

              https://en.wikipedia.org/wiki/DMZ_(computing)#DMZ_host -> By definition, this is not a true DMZ (demilitarized zone), since the router alone does not separate the host from the internal network.


              Home routers aren’t firewalls or something similar, they have some minimal logic that can act like a firewall, but they aren’t. There is no need to expose your IP, there are many alternatives to do stuff without exposing it.

              • @lud@lemm.ee
                link
                fedilink
                English
                111 months ago

                I’m of course referring to a real DMZ and not a DMZ host.

                I won’t call home routers “not firewalls” just bad firewalls Surprisingly even Cisco firewalls support DMZ hosts. I have no idea why you would ever what to use that.

                There is no need to expose your IP, there are many alternatives to do stuff without exposing it.

                . Maybe but why would it matter, especially enough to pay cloud bills?

                I have a cheap VPS for my website but that is just because I’m behind a CGNAT and I won’t bother to solve that.

                • ⲇⲅⲇ
                  cake
                  link
                  fedilink
                  English
                  1
                  edit-2
                  11 months ago

                  I’m of course referring to a real DMZ and not a DMZ host.

                  Maybe but why would it matter, especially enough to pay cloud bills?

                  Because we are talking home-made stuff, we didn’t talk about a real firewall or any infrastructure, and even doing that is much more expensive than the cheap VPS.

                  I have a cheap VPS for my website but that is just because I’m behind a CGNAT and I won’t bother to solve that.

                  Same, that’s why I am saying there is no need to expose your IP, unnecessary risks.

                  • @lud@lemm.ee
                    link
                    fedilink
                    English
                    111 months ago

                    Same, that’s why I am saying there is no need to expose your IP, unnecessary risks.

                    You will learn much more with self hosting at home though. Which is arguably worth much more.

                    Same, that’s why I am saying there is no need to expose your IP, unnecessary risks.

                    Why is it a risk?