Comment by kortilla

1 month ago

“if it protects 99.999% of attackers from reaching you but not this one specific attacker in this one case of misconfiguration, it’s not providing security”…

Dude, that’s a really shitty take and this is why people that do care about security end up ignoring advice from anyone who thinks this way.

You’re in the camp of “don’t use condoms because they can break”.

7 comments

kortilla

Reply
Dagger2  1 month ago

NAT doesn't protect you from 99.999% of attackers though. It doesn't do anything to incoming connections, so it actually protects you from 0% of attackers.

  • kortilla  1 month ago

    Nobody on the Internet can send a packet to an internal IP on your network except for immediate L2 neighbors (I.e. your ISP).

    Symmetric NAT 100% stops inbound unsolicited connections to the public IP. And using the public IP is the only way 99.999% can address you.

    I implore you to write down (even if just for yourself) what the packet headers would be for you to get a packet from Starbucks WiFi to the device at your home at 192.168.0.5 that has made no egress connections.

    You’ll quickly find what you’re suggesting is nonsense. port address translation requires an entry to function. It’s not some optional security feature. It’s required information to get the packet header rewritten to reach private devices.

    • Dagger2  25 days ago

      You can't get a packet from a random store wifi network to your home network when your home network is using 192.168.* (barring something like routing headers, which most routers wouldn't process). You said that yourself in the first part of your post, and I don't think I ever argued otherwise.

      > Symmetric NAT 100% stops inbound unsolicited connections to the public IP

      No, it doesn't. If it did it wouldn't be possible for routers to accidentally make their web admin or UPnP interfaces available to the Internet.

      It doesn't stop connections to your router, and it doesn't stop connections through your router either. It just plain doesn't stop connections, which is why it protects you from 0% of attackers.

  • ErroneousBosh  1 month ago

    Okay, but unless you've poked a hole through NAT (and if you have, presumably you know what you're doing), what are those incoming connections going to connect to?

    If there's nothing to connect to, is there really an incoming connection?

    • Dagger2  1 month ago

      They connect to whatever IP is specified in the packet's "destination IP" header field. It's exactly the same behavior as if there was no NAT going on.

      2 replies →