undefined | Better HN

0 pointsdijit4y ago0 comments

> "you're not allowed to like the NAT"

Well, the bigger question might be why do they like NAT?

If it's about having a single /128 address so they can do ACLs then that's easily fixed by just lowering the CIDR number. (unless you have an ancient version of fortigate on prem, which likely doesn't work with ipv6 anyway).

If it's about not having things poking at your servers through the NAT then the "NAT" really isn't helping anything, it's the stateful firewall doing _all_ the work there and those things are entirely independent systems. -- They're just sold to consumers as a single package.

0 comments

otabdeveloper44y ago

Again: "you're doing it wrong" and "you're not allowed to like the NAT" are not valid criticisms.

People like NAT because it's an easy batteries-included way to manage, secure and understand your LAN.

Taking it away and forcing them to migrate to an incompatible zoo of firewall technologies for no benefit is asinine.

> They're just sold to consumers as a single package.

Exactly. How in the world is this a bad thing now? Do we really want to make network security for the average do-it-yourself home LAN harder?

w74y ago

It's less of a "you're doing it wrong" or "you're not allowed to like the NAT" and a more complex "you've incorrectly attributed your protection to NAT"

otabdeveloper44y ago

Trying to separate "NAT" from "stateful firewall" is pointless and only causes pain to the end user.

1 more reply

dijitOP4y ago

Nothing changes; the firewall instead says "do you want this port open to this device" [y/N]:

Personally I think this is much easier to reason about.

And all I'm saying is that the NAT part of it absolutely does nothing to defend you, it's trivially defeated, people just conflate the two.

otabdeveloper44y ago

> the firewall instead says "do you want this port open to this device" [y/N]

That's exactly what I don't want to do. I have over 20 devices in the home LAN at any given point in time; why do you want to make my life difficult for no good reason?

1 more reply

j / k navigate · click thread line to collapse

0 pointsdijit4y ago0 comments

> "you're not allowed to like the NAT"

Well, the bigger question might be why do they like NAT?

0 comments

otabdeveloper44y ago

Again: "you're doing it wrong" and "you're not allowed to like the NAT" are not valid criticisms.

People like NAT because it's an easy batteries-included way to manage, secure and understand your LAN.

Taking it away and forcing them to migrate to an incompatible zoo of firewall technologies for no benefit is asinine.

> They're just sold to consumers as a single package.

Exactly. How in the world is this a bad thing now? Do we really want to make network security for the average do-it-yourself home LAN harder?

w74y ago

It's less of a "you're doing it wrong" or "you're not allowed to like the NAT" and a more complex "you've incorrectly attributed your protection to NAT"

otabdeveloper44y ago

Trying to separate "NAT" from "stateful firewall" is pointless and only causes pain to the end user.

1 more reply

dijitOP4y ago

Nothing changes; the firewall instead says "do you want this port open to this device" [y/N]:

Personally I think this is much easier to reason about.

And all I'm saying is that the NAT part of it absolutely does nothing to defend you, it's trivially defeated, people just conflate the two.

otabdeveloper44y ago

> the firewall instead says "do you want this port open to this device" [y/N]

That's exactly what I don't want to do. I have over 20 devices in the home LAN at any given point in time; why do you want to make my life difficult for no good reason?

1 more reply

j / k navigate · click thread line to collapse