Comment by phire

7 hours ago

The firewall on your typical IPv4 router does basically nothing. It just drops all packets that aren’t a response to an active NAT session.

If the firewall somehow didn’t exist (not really possible, because NAT and the firewall are implemented by the same code) incoming packets wouldn’t be dropped, but they wouldn’t make it through to any of the NATed machines. From the prospective any machine behind the router, nothing changes, they get the same level of protection they always got.

So for those machines, the NAT is inherently acting as a firewall.

The only difference is the incoming packets would reach the router itself (which really shouldn’t have any ports open on the external IP) reach a closed port, and the kernel responds with a NAK. Sure, dropping is slightly more secure, but bouncing off a closed port really isn’t that problematic.

7 comments

phire

Reply
snuxoll  6 hours ago

NAT gateways that utilize connection tracking are effectively stateful firewalls. Whether a separate set of ‘firewall’ rules does much good because most SNAT implementations by necessity duplicate this functionality is a bit ignorant, IMO.

Meanwhile, an IPv6 network behind your average Linux-based home router is 2-3 nftables rules to lock down in a similar fashion.

  • fc417fc802  5 hours ago

    It's also trivial to roll your own version of dropbox. With IPv6 it's possible to fail to configure those nftables rules. The firewall could be turned off.

    In theory you could turn off IPv4 NAT as well but in practice most ISPs will only give you a single address. That makes it functionally impossible to misconfigure. I inadvertently plugged the WAN cable directly into my LAN one time and my ISP's DHCP server promptly banned my ONT entirely.

    • snuxoll  11 minutes ago

      > With IPv6 it's possible to fail to configure those nftables rules. The firewall could be turned off.

      So what? It's not like you get SNAT without a couple netfilter rules either.

      This argument doesn't pass muster, sorry. Consumer and SOHO gear should come with a safe configuration out of the box, it's not rocket science.

    • phire  4 hours ago

      > In theory you could turn off IPv4 NAT as well but in practice most ISPs will only give you a single address

      So, I randomly discovered the other day that my ISP has given me a full /28.

      But I have no idea how to actually configure my router to forward those extra IP addresses inside my network. In practice, modern routers just aren't expecting to handle this, there is no easy "turn of NAT" button.

      It's possible (at least on my EdgeRouterX), but I have to configure all the routing manually, and there doesn't seem to be much documentation.

      3 replies →