IP based exclusion should not be considered a security measure, not even for a low risk environment like a home lab
>
IP based exclusion should not be considered a security measureApologies in advance if I'm missing something obvious here, but are you saying an IP allow list is not a standard security practice? If so I'd appreciate further explanation.
It's useful when the client always has its own static IP that _doesn't change_ between sessions. In this case, where the public facing IP may be shared by thousands of users, it provides no real security. All you'd have to do to gain access would be getting the client IP and finding some way of getting on the same network. Which in many cases could be as easy as subscribing to the same cell network or other ISP, or connecting to the guest wifi network of an office building.
Thanks for filling in the details. I agree that an IP allow list works best for users who are alone on an IP that doesn't change often, which is the case for a majority of home internet users but not when they're away from home.
Unfortunately there's an increasing number of home internet connections behind CGNat, as IPv4 adresses run out (and IPv6 doesn't gain momentum, heaven knows why)