undefined | Better HN

0 pointsadrian_b4y ago0 comments

Whoever downvoted this does not know how NAT and firewalls function.

That NAT and firewall are independent functions, even if they may be performed by the same program, is a simple true fact, which cannot be contested.

NAT cannot enhance security in any way. On the contrary, only the absence of any NAT can enhance the security of private IPv4 networks, because only when NAT does not exist, the computers with private addresses are no longer reachable from outside. Whenever a device that does NAT exists in your network, your internal private addresses become public addresses, no longer hidden from the Internet, because that is what NAT does. The fact that multiple internal addresses are mapped to a single external address may make more difficult the tracking of individual users, but it does not protect the internal computers in any way from external accesses. That is the job of the firewall, which filters the undesirable IP packets.

So anyone who believes that NAT is something that provides security is delusional.

I own a subnetwork of public IPv4 addresses and I have a private network of computers connected to the Internet through a router/firewall, which is a standard PC on which I have been managing the firewall and NAT for almost 20 years.

Neither of my 2 ISP's supports IPv6, so I use IPv4 with NAT.

However, if I could use IPv6, rewriting the firewall rules would not take more than a few minutes and the security would be exactly the same as it is with IPv4 and NAT.

0 comments

throwaway5251424y ago

> So anyone who believes that NAT is something that provides security is delusional.

If I understand NATs correctly, they cannot route incoming connections (from the Internet) to a computer on the local network because they don't know which computer to route them to. Hence incoming connections will always fail (unless configured to go to a specific computer, "port forwarding"). Thus a NAT (by design, because it cannot operate in another fashion), blocks incoming connections. I'd think this is a security benefit (over having a public IP address for every device in the network like in IPv6, but without a firewall).

Care to elaborate why my example doesn't work/misses your point?

adrian_bOP4y ago

It is true that for incoming connections you normally have to include in the NAT configuration the local IPv4 address to which the connection requests should be sent.

Otherwise the NAT would have to guess if they should be sent to one of the local addresses already seen to be in use.

In any case there is no difference between what happens when you use NAT and what happens when you have only public addresses in your internal network, either IPv6 or IPv4, it does not matter.

If you have internal public addresses, the incoming connections cannot reach them anyway, until you add a firewall rule allowing a connection with a certain protocol for a certain port and internal host, which is done exactly like when adding the same rule in the NAT case.

If the NAT does not allow incoming connections without express configuration, then it has correct default firewall filtering rules.

The fact that there may be multiple internal computers, is not something that would block the connection, because the NAT can choose the first of the internal addresses that it has seen, maybe rotating the addresses for the next connection requests.

So what blocks the incoming connections is the lack of permission to do that, not the fact that the NAT could not do that if allowed.

It would not surprise me if there are some NAT implementations that attempt to be too helpful so they might send the incoming connections to your local computer even without any configuration for this.

j / k navigate · click thread line to collapse