No... it doesn't drop connections, so it doesn't provide any security.

icedchai · on Nov 27, 2019

In practical terms, it still provides some (low) level of security. If an attacker can't get IP packets to your machine because it's on an un-routable address, they can't attack it. If your attacker is getting "cooperation" from your ISP to route to it, you have bigger things to worry about it.

Obviously you should really use a firewall...

Dagger2 · on Nov 28, 2019

It won't prevent an attacker from getting IP packets to your machine. How could it do that, when it only acts on outbound connections and its only act is to change the apparent source address of those connections?

icedchai · on Nov 28, 2019

Did you miss "because it's on an un-routable address" part? If there's no route to your machine from an attacker, they can't attack you.

Dagger2 · on Nov 28, 2019

The discussion was about the behavior of PAT, and PAT has no influence on whether or not an attacker has a route to you.

icedchai · on Nov 28, 2019

The discussion is about NAT and PAT in general. 99% of the time it is used with unrouteable private addresses. This means even in the absence of a firewall there is still some level of security. End of story.

Dagger2 · on Nov 29, 2019

It's common to use it with RFC1918 addresses, but that still doesn't change the behavior of PAT. PAT will not drop connections, and thus won't provide you with security.

icedchai · on Nov 30, 2019

Security is not black or white, it is shades of gray. We'll just have to disagree.

Dagger2 · on Nov 30, 2019

The behavior of PAT is, though. You can sniff packets and confirm that it behaves the way I'm describing.

icedchai · on Nov 30, 2019

I already know this.