Comment by dissent

8 hours ago

NAT isn't protecting them. Not being on the public internet at all is protecting them.

NAT is then unprotecting them a little by letting them punch out again. It's super easy for routers to implement this behaviour by default if your LAN is publicly addressable, and removes a whole class of exploits caused by applications making NAT hacks.

2 comments

dissent

Reply
xl-brain  6 hours ago

This is splitting hairs. The point stands that PAT is the de facto firewall for most soho users.

  • dissent  6 hours ago

    Not in the context of claiming NAT offers protection.

    An ipv6 lan with default ingress deny is more secure than ipv4+nat