Comment by iso1631
18 days ago
If you don't have RPF enabled on your router in theory your upstream peer can send traffic to 192.168.80.26 and it would pass through. Reply traffic may or may not be natted depending on how it's entered in the connection tracking table.
There may be situations where your router can be tricked too, I can't think of one off the top of my head which wouldn't also apply to a stateful firewall sitting on a routed network segment with no nat, and it would typically be a vulnerability to patch
But your principal is right -- it's far harder to exploit than just connecting to an ip of say 2001:172:56:107:111::192.168.80.25 on port 80
For 99%+ of residential users, the upstream peer is the router owner/operator, so they can just direct the router to hack you if they wished. So this NAT "vulnerability" is not useful in practice, since it can only be used by your upstream which already "owns" you.
Yes, the upstream can hack my private wallet. But it's a CGNAT device somewhere in the TMobile network, and hacking it is not at all trivial.
And it's true for most NAT users. Even with the cheapest possible devices.
Of course, in practice most NAT devices _are_ firewalls because they do block incoming packets that are not a part of an established connection. After all, it adds only an insignificant overhead because a NAT device has to track connections anyway.
With IPv6 this is not the case. A router with misconfigured connection tracking will still work. And I actually have seen this in practice on a device that had a missing IPv6 conntrack kernel module.
RPF wouldn't help, because the reverse route for 192.168.80.26 is going to be the LAN interface, not the WAN interface. You need a firewall.