← Back to context

Comment by johnmaguire

18 hours ago

That's a great point - the packet is not dropped by the firewall as a result of NAT - but it still won't route anywhere because the IP in the packet is that of the router itself. I've updated the article as a result of your comment, thanks.

6 comments

johnmaguire

Reply
Dagger2  13 hours ago

It might be the IP of the router, in which case the router itself will accept the connection if something is listening (like the web interface perhaps). But whoever sent you the L2 frame has full control over the contents of the IP in the packet, so it could be anything.

NAT doesn't protect you from either of these.

  • mystraline  9 hours ago

    Repeating the same wrong points doesnt make you right.

    Every NAT based product will have a firewall built in also by default. And it'll be deny-all except for conn-tracked.

    And that L2 attack is a martian packet. Why are you allowing reserved IPs talk on public network interfaces (hello, spoofing and obvious at that)? These are always blocked due to the reasons you describe.

    https://en.wikipedia.org/wiki/Martian_packet

    • Dylan16807  8 hours ago

      > Every NAT based product will have a firewall built in also by default.

      Well that's the point of the article isn't it? That the firewall is the important part, not the NAT.

  • ErroneousBosh  6 hours ago

    So, if you have NAT but a grossly misconfigured router, it might not be secure?

    Quick question - do you think that "security by obscurity is not security"? And, as a follow-up, when you park your car do you ensure your laptop bag is out of sight, maybe locked away in the boot?

    Because here's a mindblowing concept that'll change the way you see the world - you can have a door lock but it won't make you secure. You need to actually fit the lock to some sort of door.

lelandbatey  13 hours ago

That's only because your ISP won't have routed that packet to you if someone gave it to _them_. However, if someone was able to get to the ISP-side of the connection that you have with your ISP, and send a packet down the fiber/copper line from the ISP side towards your router, and that packet has a dst of your internal network (192.168.0.1 or whatever), your router will happily route that straight on to whatever internal network you have.

This means that if someone decided to be a bad actor and start tapping fiber lines on the poles in your neighborhood, NAT would do literally nothing to protect you from all the packets they start sending your way.

  • cyberax  8 hours ago

    If somebody is wishing to tap fiber optics lines to the ISP or to hack the ISP just to get to your router, then you probably are not going to be saved by a "default deny" firewall anyway.