[zAy0LfpBZLC8mAC]

No, NAT does not prevent connections, it only rewrites addresses. If your NAT router also has a stateful firewall, that is what prevents inbound connections, and removing the NAT from that equation does not change that.

[ComodoHacker]

The point is NAT is actually a couple of rules in router's stateful firewall, it is done by firewall, and firewall can't do it without explicit configuration. There can't be 'default allow NAT' config.

[zAy0LfpBZLC8mAC]

... which doesn't change that that "default allow" firewall will still pass through all packets, and thus allow access to all your internal devices/machines? Absence of NAT rules does not prevent packets from passing through the firewall, it only prevents rewriting of addresses.

[ComodoHacker]

The point you were objecting to was "external device can't connect to a device behind NAT without explicit configuration". Without NAT rules access to internal devices is prevented because packets don't get routed to private IPs.

[zAy0LfpBZLC8mAC]

That just isn't the case, though. A router without NAT and without a firewall (or a combined NAT/firewall thingy with default allow and no further rules) will route packets addressed to "private addresses" just fine. An IP router does not distinguish between "private addresses" and "non-private addresses": As long as there is a route for a prefix in the routing table, the router will route packets addressed to that prefix, and your typical home router most definitely does have a route for your LAN prefix.

[hunter2_]

So your example depends on the incoming packet already being addressed to a device behind the home router, which in a home network is in a private range. Thus, your example depends on the ISP's network delivering a packet to the customer despite that packet having an IP address that doesn't match the IP address the customer leased. Do you agree, and if so, do you know that this has ever happened in a residential setting?

Or do you mean an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes?

[zAy0LfpBZLC8mAC]

> Do you agree, and if so, do you know that this has ever happened in a residential setting?

I agree, apart from the claim that the home network is necessarily in a private range. For one, it's not technically necessary, you can use NAT with globally unique and globally routable addresses on the "internal" side. Obviously, people rarely do that with IPv4, but those people who promote the idea that NAT is somehow a security mechanism also use that claim to promote the idea that either IPv6 is bad because it doesn't use NAT, or that you possibly should use NAT with IPv6 ... which is where these misconceptions lead to some pretty crazy results.

> Or do you mean an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes?

Well, those are obviously attack vectors, and certainly not ones you should ignore, given how often there are all kinds of vulnerabilities being found in network equipment, including but not limited to the regular hard-coded passwords in Cisco equipment.

But, yes, there absolutely have even been publicly known cases of where this kind of access would have been possible, from ISPs that forgot to disable RIP on the customer-facing side of their routers, thus propagating some customer's RFC1918 routes into their access network (obviously kindof a configuration fuckup on that customer's side as well) to other ISPs that put multiple customers into a common ethernet segment/VLAN, so you could talk to your neighbour's router's WAN interface if you were a customer of the same ISP.

In any case, if you are responsible for the security of your network, your security boundary most definitely should be in your router, not somewhere in the ISP's network, where nothing of that sort is even legally guaranteed.

[ubercow13]

So an inbound packet comes in to your NAT and there is no entry for it in the state table. Isn't it then dropped? Isn't that preventing a connection?

[zAy0LfpBZLC8mAC]

Why should it be dropped?

If there is no entry in the state table, then NAT rules are consulted to see whether a new rewrite entry should be added (such as DNAT/port forwarding rules on your home router), and if there is no matching rule either, it simply is forwarded without address rewriting.

[ubercow13]

Why would it be forwarded? Do you mean that it forwards it to itself, the NAT device addressed by the actual public IP? Wikipedia seems to disagree [0] "if the destination port number of the incoming packet is not found in the translation table, the packet is dropped or rejected because the PAT device doesn't know where to send it."

I am sure a NAT could be configured any number of ways, though, and could probably do anything you want with such packets.

[0] https://en.m.wikipedia.org/wiki/Network_address_translation

[zAy0LfpBZLC8mAC]

> Why would it be forwarded?

Because the device is a router, and that is what routers do.

> Do you mean that it forwards it to itself, the NAT device addressed by the actual public IP?

No, it forwards it to whatever destination address is in the destination address field of the IP headers, because that is what IP routers do.

If it is addressed to one of the NAT device's own addresses, of course, the routing decision would deliver it to the local protocol stack instead of forwarding it, and if there was any service listening on the respective protocol/port, that service would receive the packet (or the TCP stack would respond with a SYN+ACK, or whatever), and if nothing is listening there, the IP stack should respond with either some ICMP error message or possibly a TCP reset or something.

> Wikipedia seems to disagree [0] "if the destination port number of the incoming packet is not found in the translation table, the packet is dropped or rejected because the PAT device doesn't know where to send it."

Well, maybe that is good enough for explaining to a lay audience what a NAT gateway does, because that is what home routers typically will do, because they tend to also have a stateful firewall built in, but it's pretty misleading if you are trying to understand what is actually going on.

> I am sure a NAT could be configured any number of ways, though, and could probably do anything you want with such packets.

Not really, simply by definition: The function of a NAT is the translation of addresses. A router can have many more features, of course, such as a stateful firewall, but the point is that if you only had the address translation functionality, that would not prevent inbound connections, and if you remove the address translation functionality and keep the stateful firewall, inbound connections still aren't possible. Hence, NAT has nothing to do with whether inbound connections are possible, other than that devices that have NAT functionality commonly also have a stateful firewall.

[ubercow13]

Wouldn't the router only have a route for 192.168.0.x or whatever to go to the private interface? Why would a packet still addressed to the public IP get routed to the private network interface?

>NAT has nothing to do with whether inbound connections are possible

So how would you address a device on the private network from outside?

edit: I read your other response. Fair enough, if your ISP is sending you privately addressed packets they could get through.