Comment by Dagger2
1 month ago
The return packet wouldn't be NATed, because stateful NAT tracks connections and only applies NAT to packets that belong to outbound connections.
Arguing over how likely this is is missing the point. If it can happen at all when you're running NAT, then it should be clear that NAT isn't providing security.
“if it protects 99.999% of attackers from reaching you but not this one specific attacker in this one case of misconfiguration, it’s not providing security”…
Dude, that’s a really shitty take and this is why people that do care about security end up ignoring advice from anyone who thinks this way.
You’re in the camp of “don’t use condoms because they can break”.
NAT doesn't protect you from 99.999% of attackers though. It doesn't do anything to incoming connections, so it actually protects you from 0% of attackers.
Nobody on the Internet can send a packet to an internal IP on your network except for immediate L2 neighbors (I.e. your ISP).
Symmetric NAT 100% stops inbound unsolicited connections to the public IP. And using the public IP is the only way 99.999% can address you.
I implore you to write down (even if just for yourself) what the packet headers would be for you to get a packet from Starbucks WiFi to the device at your home at 192.168.0.5 that has made no egress connections.
You’ll quickly find what you’re suggesting is nonsense. port address translation requires an entry to function. It’s not some optional security feature. It’s required information to get the packet header rewritten to reach private devices.
1 reply →
Okay, but unless you've poked a hole through NAT (and if you have, presumably you know what you're doing), what are those incoming connections going to connect to?
If there's nothing to connect to, is there really an incoming connection?
3 replies →