← Back to context

Comment by dvdkon

5 days ago

> I can have a both a firewall and a NAT. The two layers are better than one because at least my address is shouldn't be routable even if I failed to configure my firewall correctly.

That's not true. When you configure just NAT (with e.g. nftables on Linux), the NATed devices are still reachable from the outside, you just have to add an entry to your routing table to reach that internal address space using the router.

2 comments

dvdkon

Reply
icedchai  5 days ago

"Just add an entry to your routing table" ... it's virtually impossible to do that for RFC-1918 addresses across the internet. It will be filtered at the ISP border or an upstream. Is it theoretically possible? Yes. Is it an actual risk? Probably not.

  • megous  5 days ago

    Well, if you're other customer of the ISP on the same network, then that may get more interesting... (or inside VPS provider's network)