[zAy0LfpBZLC8mAC]

... which doesn't change that that "default allow" firewall will still pass through all packets, and thus allow access to all your internal devices/machines? Absence of NAT rules does not prevent packets from passing through the firewall, it only prevents rewriting of addresses.

[ComodoHacker]

The point you were objecting to was "external device can't connect to a device behind NAT without explicit configuration". Without NAT rules access to internal devices is prevented because packets don't get routed to private IPs.

[zAy0LfpBZLC8mAC]

That just isn't the case, though. A router without NAT and without a firewall (or a combined NAT/firewall thingy with default allow and no further rules) will route packets addressed to "private addresses" just fine. An IP router does not distinguish between "private addresses" and "non-private addresses": As long as there is a route for a prefix in the routing table, the router will route packets addressed to that prefix, and your typical home router most definitely does have a route for your LAN prefix.

[hunter2_]

So your example depends on the incoming packet already being addressed to a device behind the home router, which in a home network is in a private range. Thus, your example depends on the ISP's network delivering a packet to the customer despite that packet having an IP address that doesn't match the IP address the customer leased. Do you agree, and if so, do you know that this has ever happened in a residential setting?

Or do you mean an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes?

[zAy0LfpBZLC8mAC]

> Do you agree, and if so, do you know that this has ever happened in a residential setting?

I agree, apart from the claim that the home network is necessarily in a private range. For one, it's not technically necessary, you can use NAT with globally unique and globally routable addresses on the "internal" side. Obviously, people rarely do that with IPv4, but those people who promote the idea that NAT is somehow a security mechanism also use that claim to promote the idea that either IPv6 is bad because it doesn't use NAT, or that you possibly should use NAT with IPv6 ... which is where these misconceptions lead to some pretty crazy results.

> Or do you mean an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes?

Well, those are obviously attack vectors, and certainly not ones you should ignore, given how often there are all kinds of vulnerabilities being found in network equipment, including but not limited to the regular hard-coded passwords in Cisco equipment.

But, yes, there absolutely have even been publicly known cases of where this kind of access would have been possible, from ISPs that forgot to disable RIP on the customer-facing side of their routers, thus propagating some customer's RFC1918 routes into their access network (obviously kindof a configuration fuckup on that customer's side as well) to other ISPs that put multiple customers into a common ethernet segment/VLAN, so you could talk to your neighbour's router's WAN interface if you were a customer of the same ISP.

In any case, if you are responsible for the security of your network, your security boundary most definitely should be in your router, not somewhere in the ISP's network, where nothing of that sort is even legally guaranteed.