I don’t think you understand symmetric NAT. Requiring an entry in the port address translation table to propagate a packet is not the same thing as a stateful firewall.
You absolutely can have a port address translation implementation without a stateful v4 firewall that wouldn’t forward packets destined for inner IPs on the outer interface. Just put an ACL on the external interface to not allow traffic to the inner IP block.
If your public IP from your ISP is 12.13.14.15, and your internal block is 192.168.0.0/24, then your ISP can send a packet to 12.13.14.15 destined for 192.168.0.7, and without a firewall your router will happily forward it. An attacker who can convince intervening routers to send traffic destined for 192.168.0.7 to 12.13.14.15 (and these attacks do exist, particularly over UDP) can also do that.
You're using somewhat sloppy terminology that will confuse things. An IP packet can't be addressed both to 12.13.14.15 AND to 192.168.0.7.
The realistic attack here is that your ISP sends a packet with destination address 192.168.0.7 to the MAC of your router (the MAC that corresponds to 12.13.14.15). This is a realistic attack scenario if the device that your router connects directly to gets compromised (either by an attacker or by the ISP itself).
Getting a public route that would take packets destined for 192.168.0.7 to reach your router over the Internet is far more unlikely.
Okay, so not only do you have to create a bogus packet, you have to convince every piece of equipment in between you and the end user to collude with it, in the hopes that the final router is so woefully misconfigured as to act upon it?
No, the router will only forward it with specific implementations that don’t isolate routing tables between the external and internal. Or an easier approach is just a stateless ACL on the external interface. Neither are a stateful firewall.
Send packets to the device? A NAT is in it's most basic form a mapping from one IP/port set to another IP/port set describable by some function "f" and its inverse "g". The common home user case has the firewall detect a flow from inside the network and modify "f" and "g" to allow this flow. Without the firewall, and assuming you want your devices to talk to the internet in some way, the NAT would forward (with modifications) traffic based on "f" and "g" to all your devices.
First they will have to change their policy of only providing one IPv4 address per ONT connection. Then they will have to convince me to disable NAT on my router, disable the DHCP server on my router, and bridge the WAN port with the LAN block.
Meanwhile in IPv6 land the ISP provided router that my relative has came configured by default to hand out globally routable addresses from the ISP provided /64. Thankfully it also had a stateful firewall enabled by default so there was no difference in practice.
> First they will have to change their policy of only providing one IPv4 address per ONT connection. Then they will have to convince me to disable NAT on my router, disable the DHCP server on my router, and bridge the WAN port with the LAN block.
No. They may be able to directly reach your internal addresses with source addresses that are outside your internal ranges through the WAN interface. For example: if you use 10.0.0.0/24 internally, and your special secret webserver is at 10.0.0.2, I might be able to reach it from 10.1.0.1 through your router's WAN interface.
It doesn't matter what the public IP is: the WAN interface is the default route, Linux will forward the traffic unless something is explicitly configured to block it.
Even if outbound traffic on the WAN interface is unconditionally SNAT'd to the public IP, and the replies have the wrong source address/port, I can still use a promiscuous mode AF_PACKET socket to receive them and interact with the internal server (the destination address will be correct, so the L2 frame will be addressed to the attacker's MAC). Or even just install my own SNAT rule to rewrite them again for me, I suppose.
Some ISPs have multiple subscribers on the same L2 segment, it's possible they can do this to each other.
Of course, I'd imagine many consumer grade routers out there do block this, but I've personally seen some that don't.
I don’t think you understand symmetric NAT. Requiring an entry in the port address translation table to propagate a packet is not the same thing as a stateful firewall.
You absolutely can have a port address translation implementation without a stateful v4 firewall that wouldn’t forward packets destined for inner IPs on the outer interface. Just put an ACL on the external interface to not allow traffic to the inner IP block.
How do they manage that?
If your public IP from your ISP is 12.13.14.15, and your internal block is 192.168.0.0/24, then your ISP can send a packet to 12.13.14.15 destined for 192.168.0.7, and without a firewall your router will happily forward it. An attacker who can convince intervening routers to send traffic destined for 192.168.0.7 to 12.13.14.15 (and these attacks do exist, particularly over UDP) can also do that.
You're using somewhat sloppy terminology that will confuse things. An IP packet can't be addressed both to 12.13.14.15 AND to 192.168.0.7.
The realistic attack here is that your ISP sends a packet with destination address 192.168.0.7 to the MAC of your router (the MAC that corresponds to 12.13.14.15). This is a realistic attack scenario if the device that your router connects directly to gets compromised (either by an attacker or by the ISP itself).
Getting a public route that would take packets destined for 192.168.0.7 to reach your router over the Internet is far more unlikely.
2 replies →
Okay, so not only do you have to create a bogus packet, you have to convince every piece of equipment in between you and the end user to collude with it, in the hopes that the final router is so woefully misconfigured as to act upon it?
23 replies →
No, the router will only forward it with specific implementations that don’t isolate routing tables between the external and internal. Or an easier approach is just a stateless ACL on the external interface. Neither are a stateful firewall.
Send packets to the device? A NAT is in it's most basic form a mapping from one IP/port set to another IP/port set describable by some function "f" and its inverse "g". The common home user case has the firewall detect a flow from inside the network and modify "f" and "g" to allow this flow. Without the firewall, and assuming you want your devices to talk to the internet in some way, the NAT would forward (with modifications) traffic based on "f" and "g" to all your devices.
First they will have to change their policy of only providing one IPv4 address per ONT connection. Then they will have to convince me to disable NAT on my router, disable the DHCP server on my router, and bridge the WAN port with the LAN block.
Meanwhile in IPv6 land the ISP provided router that my relative has came configured by default to hand out globally routable addresses from the ISP provided /64. Thankfully it also had a stateful firewall enabled by default so there was no difference in practice.
> First they will have to change their policy of only providing one IPv4 address per ONT connection. Then they will have to convince me to disable NAT on my router, disable the DHCP server on my router, and bridge the WAN port with the LAN block.
No. They may be able to directly reach your internal addresses with source addresses that are outside your internal ranges through the WAN interface. For example: if you use 10.0.0.0/24 internally, and your special secret webserver is at 10.0.0.2, I might be able to reach it from 10.1.0.1 through your router's WAN interface.
It doesn't matter what the public IP is: the WAN interface is the default route, Linux will forward the traffic unless something is explicitly configured to block it.
Even if outbound traffic on the WAN interface is unconditionally SNAT'd to the public IP, and the replies have the wrong source address/port, I can still use a promiscuous mode AF_PACKET socket to receive them and interact with the internal server (the destination address will be correct, so the L2 frame will be addressed to the attacker's MAC). Or even just install my own SNAT rule to rewrite them again for me, I suppose.
Some ISPs have multiple subscribers on the same L2 segment, it's possible they can do this to each other.
Of course, I'd imagine many consumer grade routers out there do block this, but I've personally seen some that don't.