Comment by bandrami

4 days ago

> Maybe I've been irreparably corrupted by being behind NAT for too long

Bangs head against desk

NAT per se does not prevent an outside host from connecting to a host on your local network.

11 comments

bandrami

Reply
deng  4 days ago

> NAT per se does not prevent an outside host from connecting to a host on your local network.

Yep, and a firewall per se does not prevent an outside host from connecting to a host on your local network. You can bang your head all day long, the side effect of NAT is to only allow incoming traffic that refers to an established connection that was initiated from the local network. How is this different from a firewall that does

Allow established, related

Allow outbound

Deny inbound

  • Dagger2  4 days ago

    No, the side effect of NAT is that outbound connections made from your network look like they come from the router's WAN IP. It doesn't filter incoming traffic.

    If it did then you might have a point, but since it doesn't it's very different from a firewall that's configured to do that.

    • deng  4 days ago

      > No, the side effect of NAT is that outbound connections made from your network look like they come from the router's WAN IP.

      That's the primary function of NAT, not a side effect.

      > It doesn't filter incoming traffic.

      Of course it does, it drops any incoming traffic for which it cannot find a corresponding connection. How is this not a filter?

      I know that internally these two are vastly different. The reality is that NAT is used as protection for millions of home networks.

      2 replies →

captainmuon  4 days ago

I guess technically you are right, in that NAT doesn't prevent connections, it enables connections. But in the situation where you would have a NAT, behind a residential router, an outside host cannot connect to an arbitrary host on my internal network.

On a publicly routed PC, I can call `listen` and an outside host can connect to me.

On a PC behind a NAT - if I don't set up port forwarding - I can call `listen` and nobody from outside can connect to me.

So one could say, going from publicy routed to behind a NAT means that only allowed incoming connections are possible. Or am I missing something and you can really, from the outside, open a connection to a PC on a residential network which is behind a simple NAT (TCP server listening on that PC)?

  • Dagger2  4 days ago

    Yeah, you really can do that.

    The only caveat is that if you're using RFC1918, it greatly limits who can connect -- only your ISP, or another customer connected to the same shared VLAN your router is, or anyone that can physically attach to that network (or anybody in a position to order, blackmail or social engineer those three groups or their employees) can do it, because they're the only people that can set a route to your router for RFC1918 destinations.

    Other than that, the connection will just head right on through your router. NAT's whole thing is to change the source address of your outbound connections. Inbound ones (when they don't match port forward rules) are ignored by it, which means they get routed by the router in exactly the same way they would if the router wasn't doing NAT.

    At best you could argue that RFC1918 blocks connections, which would be somewhat closer to true, but... well, it doesn't. If you actually want to stop all connections from outside your network, you've always had to do it with a firewall on the router.

    And of course, I said "if". You can NAT on public IP space. On residential connections you're unlikely to have public IP space on v4, but that's just a consequence of v4 being exhausted.

    • bandrami  4 days ago

      There have been incredibly clever attacks based on tricking intervening routers into routing the traffic to the target gateway, but more prosaicly my next hop ISP is itself a threat I worry about.

allarm  4 days ago

Every single time. But that actually gives a simple answer for why IPv6 is still not commonly used. People can’t wrap their heads around the (simple) fact that NAT is orthogonal to firewalls - and IPv6 has more difficult concepts to offer.

  • otabdeveloper4  4 days ago

    If you'd bothered to read the Original Post, you'd know that the author already answered that.

    • allarm  3 days ago

      If you'd bothered to understand the context of my comment you wouldn't have left your comment and we wouldn't have had this obnoxious discussion.