Comment by cyberax

6 hours ago

I wrote that comment, and you can write to yourself how many times you want that NAT is not a firewall.

The truth of the matter is that NAT absolutely _is_ a firewall in _practice_. Not in theory "because it doesn't drop packets" or "because it was not meant to be a security feature". But in the actual real-world practice.

It effectively protects most networks from most attackers without ANY additional configuration, making it inherently foolproof.

Here, I put a private key for a wallet with 0.01 bitcoin at this address: http://192.168.80.26/ Go on and take it. It's not protected by anything else I disabled everything but NAT. Heck, here's my real IPv4 even: 172.56.107.111

Is this a _good_ reason to not do IPv6? No. But it absolutely _is_ a reason and needs to be acknowledged.

5 comments

cyberax

Reply
bigstrat2003  5 hours ago

> The truth of the matter is that NAT absolutely _is_ a firewall in _practice_.

No it's not. NAT is not ever a firewall. By definition it is not.

  • cyberax  4 hours ago

    What is the definition of a "firewall"?

    And it doesn't really matter. You can call it "alksjfaliskdfgh" if you wish. The fact is, NAT adds a security barrier that is incredibly effective in practice.

    • bandrami  2 hours ago

      But it really doesn't. If you turned off NAT your computers would have the exact same security as they do with NAT.

iso1631  5 hours ago

If you don't have RPF enabled on your router in theory your upstream peer can send traffic to 192.168.80.26 and it would pass through. Reply traffic may or may not be natted depending on how it's entered in the connection tracking table.

There may be situations where your router can be tricked too, I can't think of one off the top of my head which wouldn't also apply to a stateful firewall sitting on a routed network segment with no nat, and it would typically be a vulnerability to patch

But your principal is right -- it's far harder to exploit than just connecting to an ip of say 2001:172:56:107:111::192.168.80.25 on port 80

  • dist-epoch  1 hour ago

    For 99%+ of residential users, the upstream peer is the router owner/operator, so they can just direct the router to hack you if they wished. So this NAT "vulnerability" is not useful in practice, since it can only be used by your upstream which already "owns" you.