← Back to context

Comment by cyberax

1 month ago

> NAT is not the firewall.

NAT _is_ a firewall. And a much safer one than IPv6 firewalls, because NAT will fail safe if misconfigured.

11 comments

cyberax

Reply
johnmaguire  1 month ago

NAT is not a firewall: all it does is rewrite packets, it does not drop them.

  • jonathanlydall  1 month ago

    The article actually remarks on this kind of argument.

    While you are technically correct about NAT not being a firewall, it is in practice a widely used front-line defense which even if not “perfect”, it has indisputably proven to be quite effective against a lot of malicious activity.

    Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.

    Kind of like physical home security, a lot of it is very easy to bypass, but it’s good enough for the common threats.

    • johnmaguire  1 month ago

      > Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.

      Maybe, maybe not, but regardless 99% of people are not protected by a NAT. They are protected by a "proper firewall," which happens to support NAT (and typically, is enabled for IPv4 networks.)

      That is to say, while most home routers support NATs, they also ship with a default-deny firewall turned on. Typically, enabling NAT mappings also configures the firewall for users. But they are not the same thing and we need to stop conflating them because it causes a lot of confusion when people think that IPv6 is "open by default" and that IPv4 is "protected by NAT." It's not. They are both protected by your router using the same default-deny firewall.

      3 replies →

  • tyingq  25 days ago

    You have to squint a little and see they mean that most consumer routers don't map inbound unsolicited packets to anything internal unless the user specifically configured it to. Which is basically a firewall.

    • jcalvinowens  25 days ago

      That's not true in my experience, consumer grade routers will often happily route packets with rfc1918 destination addresses from the WAN to the LAN interface all day. The "firewall" is only that nobody can get packets with those destination addresses to the home router's WAN interface through the internet.

    • johnmaguire  25 days ago

      This is because most consumer routers have a firewall, which is separate from the NAT. Creating NAT mappings also creates firewall entries.

      Otherwise, the router would happily pass the packet along to any IP address it finds in a packet it receives. That's the job of a router, after all.

  • dlcarrier  25 days ago

    A NAT will drop all packets, until something upstream opens a port. Dropping packets is the default behavior of a NAT.

    • johnmaguire  25 days ago

      Nope, it's the default behavior of a typical firewall. NAT rewrites packets but it never drops packets. An un-rewritten packet may fail to route (i.e. "destination unknown".) But that depends on the destination in the packet.