• frezik
    link
    fedilink
    arrow-up
    6
    ·
    6 months ago

    It wasn’t designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?

    The answer is that it doesn’t. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn’t outweigh other benefits of end to end addressing.

    • AceBonobo@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      6 months ago

      The main benefit of a NAT is that by default it prevents all external access to the hosts inside the network. Any port you have open is not accessible unless explicitly forwarded.

      This has a lot of security benefits. Regardless, everything you said is sounds true to me.

      • frezik
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        6 months ago

        You can get exactly the same benefit by blocking non-established/non-related connections on your firewall. NAT does nothing to help security.

        Edit: BTW–every time I see this response of “NAT can prevent external access”, I severely question the poster’s networking knowledge. Like to the level where I wonder how you manage to config a home router correctly. Or maybe it’s the way home routers present the interface that leads people to believe the two functions are intertwined when they aren’t.

        • AceBonobo@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          6 months ago

          I didn’t mean prevent, just makes it harder by default. You can still open connections from within the NAT

          Edit: I do admit to failing at accessing my IPv6 PC from my IPv6 phone

          Edit2: apparently NAT is full of security bugs

          • frezik
            link
            fedilink
            arrow-up
            2
            ·
            6 months ago

            If your home router blocked incoming connections on IPv4 by default now, then it’s likely to continue doing so for IPv6. At least, I would hope so. The manufacturer did a bad job if otherwise.

            • AceBonobo@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              6 months ago

              I figure the mobile carrier was blocking incoming connections to my phone. This was a couple of years ago, things might have changed since then.

      • hank_and_deans@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        6 months ago

        Yeah, no. If remote hosts could not send traffic to hosts behind NAT almost nothing would work.

        The hacks employed to make NAT work make security worse, not better.

        • AceBonobo@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          6 months ago

          You’re talking about NAT traversal? We do have control over which we apps we run though?

          Edit: apparently NAT is full of bugs