>NAT provides security because normally it disallows external actors on the outside from accessing resources on the inside side.
No. NAT enables internal, non-routable (cf. rfc1918[0]) actors on the inside to access external resources on the Internet. Generally, that's done via NAT masquerade[1] (one-to-many NAT), but can also be done with one-to-one NAT.
>A firewall is not required for NAT to work, although many firewalls have NAT built-in. And indeed, if a firewall is off NAT can still function (if NAT is separate).
No. It isn't. And if you enable NAT without firewall rules, it will happily expose your internal network to external actors. In fact, that's the whole point of NAT.
In fact, not using IPv4 NAT is enormously more secure than using IPv4 NAT, assuming you're using RFC1918 addresses internally. Primarily because non-NATted RFC1918 addresses won't be forwarded by routers on the Internet (CGNAT notwithstanding).
>Here's the end point: NAT effectively reduces the attack surface for a home network to the router. That is security, practically speaking.
Again, no. Enabling NAT increases the attack surface for all networks, regardless of type. Without NAT, external actors need to compromise your router first, then get it to accept spoofed packets.
Yes, there's detail that I've ignored, as it's irrelevant to the statements made. Most of that is related to "I want to access Internet resources, but my ISP won't give me anything but a single, ephemeral, routable IPv4 address, so I need to use NAT to share that one address."
That's not an argument for the "security" of NAT, it's an argument for being mad at your ISP, especially if they won't give you a /56 block of IPv6 addresses.
> No. It isn't. And if you enable NAT without firewall rules, it will happily expose your internal network to external actors. In fact, that's the whole point of NAT.
How exactly would a regular NAT implementation, such as s consumer router's NAT, remove security compared to a direct connection? Assuming there is no port forwarding configured, the NAT will drop (or NACK) any packets addressed to the router's IP on any port that doesn't correspond to a currently open connection.
Since the machines behind the NAT have RFC1918 addresses, remote actors will not be able to send a packet to them, other than by sending packets to the router's IP.
So, overall, a NAT box with no firewall rules configured still acts like a stateful firewall for remote attackers. It's true that attackers that have access to the WAN port of the router, such as someone infecting your ISP, can still send traffic directly to the RFC1918 addresses behind the router, and the router would deliver them (whereas with a firewall, those would also get dropped). So a firewall is still preferable, but the difference in security is actually quite low.
> In fact, not using IPv4 NAT is enormously more secure than using IPv4 NAT, assuming you're using RFC1918 addresses internally. Primarily because non-NATted RFC1918 addresses won't be forwarded by routers on the Internet (CGNAT notwithstanding).
This statement makes no sense. If you are not using NAT of some kind, and your machines only have RFC1918 addresses, then your machines can't access the Internet at all. Now, sure, that is quite secure - but you can get the exact same security by disconnecting the WAN port of the router, with the exact same effects - so this is quite irrelevant to the use-cases being discussed.
>How exactly would a regular NAT implementation, such as s consumer router's NAT, remove security compared to a direct connection? Assuming there is no port forwarding configured, the NAT will drop (or NACK) any packets addressed to the router's IP on any port that doesn't correspond to a currently open connection.
No one (at least not me) said anything about a "direct connection" (which I assume means using globally routable IPv4 addresses on your internal systems).
Nor did anyone say anything about not forwarding any ports. In fact, much of the discussion has been about how "secure" NAT is when forwarding ports, with some folks claiming that doing so is all you need. Or did you miss those 80-100 comments?
>This statement makes no sense. If you are not using NAT of some kind, and your machines only have RFC1918 addresses, then your machines can't access the Internet at all.
Exactly. That was my point. And if you add NAT without stateful firewall rules to limit access, your internal systems are exposed.
I tell you what: post the IP address/range of your home network, turn off the firewall you're using and just leave NAT enabled as it is right now and we can see for ourselves just how "secure" bare NAT is. What do you say?
Unsecured NAT (i.e., without, at a minimum, firewall rules limiting connectivity -- a default deny rule at least) is not secure at all.
I've said (now twice) what I had to say. Feel free to disagree (again) and/or downmod my post, but my decades of experience professionally implementing networks, the security infrastructure which attempts to secure them, at the perimeter as well as at the LAN, server and endpoint informs my opinion.
Don't agree? That's fine with me. It's no skin off my nose. I have no axe to grind with you or anyone else around this or anything else.
Have a good day.
Edit: Clarified the "Globally routable" addresses as IPv4.
I've explained before, in many threads, that pure consumer NAT, without a firewall, has exactly the same behavior as a consumer stateful firewall, except for two cases :
1. The ISP is malicious/compromised, and sends packets with RFC1918 addresses on the router's WAN port.
2. The router itself has admin services that are listening on public IPs (eg HTTP server listening on 0.0.0.0 instead of 192.168.0.1), so it itself could be compromised from outside the ISP network.
Except for these two points, there is no difference between the security characteristics of a consumer NAT and a consumer firewall:
1. LAN machines can't be reached over the internet other than through the NAT, since a packet addressed to 192.168.0.7 from Google will not be routed by any ISP.
2. When a packet arrives to the NAT with a destination IP set to the NAT public IP, the packet will not be delivered to any box on the LAN unless (a) its ports match an active connection from a LAN box, or (b) its destination port matches an explicit port forward rule an admin added.
Case (a) above is exactly what a stateful firewall with a default deny rule does. Case (b) is also exactly the same, as if you explicitly open a port in this type of consumer firewall, it will allow any packet matching that port.
Now, I wouldn't disable my firewall, because I don't trust that my consumer router is itself well enough secured, and I don't necessarily trust my ISP's network either. But this doesn't mean that my laptop is exactly as secure if it were to sit behind this router with no firewall as it would be if I disabled both firewall and NAT entirely and gave my laptop a publicly routable IPv4.
You conveniently left out that the author (Ruy Teixeira[0]) of the piece you quoted is a senior fellow at the right-wing think tank that authored the Project 2025 roadmap.
Should we ask Stalin to critique US Cold War policies? Or maybe ask Xi Xinping to publicly assess the relative strengths and weaknesses of Taiwan's defense posture too?
False analogy. The Atlantic is a Democratic mouth piece and they posted his message because we Democrats will keep losing if we don’t wake up. Here is an article from another author with a similar message.
Quote: The February 18 focus group, in a state that saw deep Democratic erosion last year and will elect a new governor this fall, was the first stop of a new $4.5 million research project centered on working-class voters in 20 states that could hold the key to Democratic revival. American Bridge 21st Century, an independent group that spent about $100 million in 2024 trying to defeat Trump, has decided to invest now in figuring out what went wrong, how Trump’s second term is being received, and how to win back voters who used to be Democratic mainstays but now find themselves in the Republican column.
>To be absolutely frank, I don't consider the Democrat party as "Left" in any (traditional?) sense at all, even though it may include Left and Left-leaning elements.
The Democratic (not "Democrat", a member of that party is a Democrat, but the party is the "Democratic" Party), and calling it the "Democrat" party has its roots in Republicans deliberately misnaming the party as one of many attempts to devalue and dismiss the Democratic Party. If that's your goal, then please continue. Otherwise, it's like calling an Englishman a Limey or a Pommie just because you've heard others do so.
Otherwise, you're quite correct, in that the US Democratic Party is mostly a center-right party, with it's most progressive/left-wing elements being firmly center-left.
>The politics of fear stoked by two sets of extremists egging eachother on is the core reason we're in this mess, the failure to reject both simultaneously and the desire to rule with feelings instead of facts caused it all.
Pol Pot[0] was a leftist extremist. Chairman Mao[1] was a leftist extremist. As were the Red Brigades[2] and the Symbionese Liberation Army[3], etc., etc., ,etc. Who in the US Democratic Party advocates for the same things as those guys? Let's see. No one.
In fact, the only ones in the US who've shown an interest in nationalizing the means of production (c.f. Intel) or putting down the Intelligentsia and normalizing violence against those who criticize the regime are just one set of extremists. Because extremists end up going full circle -- because for them it's about power and not ideology.
Trust is really low that this will not be shadow-mined anyway. There’s far too much money to be made. This reads like greenwashing to me. Makes someone on the board feel good but in reality, fingerprinting and location data is still completely identifiable.
>Flagging on the other hand to me on a post as such and other attempts genuinely sadden me because I was only able to discover this flagged post because people wrote about this article in the post I built which has also promptly got flagged.
I find that annoying myself. However, at the suggestion of another user, I began looking at https://news.ycombinator.com/active instead of the front page.
The "active" page (as its name implies) includes the most active discussions regardless of whether or not they've been flagged.
I find it to be a much better place to find stuff to discuss.
On top of these methods, I will often surface content and discussion by looking at:
- the search page for the last 24H, with a list of both "title" keywords and "comment" keywords, based on how many results are appearing
- the comment histories of folks I have enjoyed.
I do this by modifying the query string in the URL field.
I am quite glad that these modes of finding content on the site take a little effort- I already have a 180min time out and it's not the healthiest way to try and find my news. This is, fortunately, the only social media site I am actively writing responses on, other than some message boards.
And I don't try to book mark my way through those keywords- I just have a set of stuff I find in comment threads I find interesting memorized and look for those threads ("measles", "salvador", "venazuela", "flock").
But I find it a lot easier to find general news and conversations I am curious about using that method.
No. NAT enables internal, non-routable (cf. rfc1918[0]) actors on the inside to access external resources on the Internet. Generally, that's done via NAT masquerade[1] (one-to-many NAT), but can also be done with one-to-one NAT.
>A firewall is not required for NAT to work, although many firewalls have NAT built-in. And indeed, if a firewall is off NAT can still function (if NAT is separate).
No. It isn't. And if you enable NAT without firewall rules, it will happily expose your internal network to external actors. In fact, that's the whole point of NAT.
In fact, not using IPv4 NAT is enormously more secure than using IPv4 NAT, assuming you're using RFC1918 addresses internally. Primarily because non-NATted RFC1918 addresses won't be forwarded by routers on the Internet (CGNAT notwithstanding).
>Here's the end point: NAT effectively reduces the attack surface for a home network to the router. That is security, practically speaking.
Again, no. Enabling NAT increases the attack surface for all networks, regardless of type. Without NAT, external actors need to compromise your router first, then get it to accept spoofed packets.
Yes, there's detail that I've ignored, as it's irrelevant to the statements made. Most of that is related to "I want to access Internet resources, but my ISP won't give me anything but a single, ephemeral, routable IPv4 address, so I need to use NAT to share that one address."
That's not an argument for the "security" of NAT, it's an argument for being mad at your ISP, especially if they won't give you a /56 block of IPv6 addresses.
[0] https://www.rfc-editor.org/rfc/rfc1918
[1] https://en.wikipedia.org/wiki/Network_address_translation#On...
reply