Hacker News new | past | comments | ask | show | jobs | submit login

NAT is not a firewall. It's not intended to protect, and usually it doesn't. There are many ways to circumvent it...



That's true, but for all intents and purposes NAT is a poor-mans firewall. Many people don't know any better or that's what keeps them safe, they wouldn't know the difference between multiplexing a bunch of machines behind a single IP using port forwarding and firewalling because if a port isn't forwarded it appears as if it is firewalled.

That's a legacy bit that a lot of people will have a hard time adjusting to when IPV6 becomes more mainstream. Basically every piece of gear in your house can have a routable IP under that scheme and then suddenly your edge router configuration becomes a lot more important.


I wonder if how much they have baked into IPv6, and what I would consider hard-to-read addresses (the hex form anyway), the "special" addresses etc, are providing a barrier to adoption.

They should have just expanded the address space in v6 (5?) I reckon (and maybe any warts from history that needed cleaning up).


Right but the default ruleset allows incoming packets for established connections, meaning your PC can still contact a remote host with malicious intent and be exploited.


Yes, that's true, a reverse is always possible in a NAT'd situation. UPNP also doesn't help.


> NAT is not a firewall. It's not intended to protect, and usually it doesn't

It's funny that this still needs to be brought up, but I understand why some people think that NAT offers some real protection.

Basically NAT makes it difficult (without setting up forwarding, etc) for non-malicious-you to reach a device that's behind one, ergo non-malicious-you believes that NAT is providing protection.

"If it's impossible for me to access a port behind a NAT it must be hard for everyone".

Of course the whole point of a NAT gateway is to poke holes in itself (indiscriminately) so that devices behind it can talk to the world.

I wonder what will happen when the whole world is on IPv6 and we don't need NAT anymore - is a consumer wifi router with an actual firewall going to be common, or are we still going to use NAT to "isolate" devices on our local network.

Personally I'm a fan of IPv4 only because I can actually remember the addresses - every time I deal with a v6 address it's copy/paste or bust - forget being able to verbally share the address of a thing.

Mind you I no longer do network consulting, so the only IP address I remember these days is 8.8.8.8. I guess it won't affect my work ¯\_(ツ)_/¯.


I asked because I would guess that the vast majority of devices that are potentially affected are behind NAT, and they are likely to be safe from outside threats until one is introduced through users or some other hack.

Nowhere was it suggested that NAT was part of the security strategy... which you are right, is a very bad idea.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: