Hacker News new | ask | show | jobs
by zAy0LfpBZLC8mAC 2559 days ago
> By rewriting the IP headers of packets as they traverse routing devices.

How does that prevent hosts on that other network from accessing hosts on your "private network"? Like, a packet addressed to one of the hosts on your "private network" arrives at your NAT gateway from the "other network". How does the NAT rewrite the IP headers, and how does that provide access control?

> If you’re trying to say that all NAT devices are stateless firewalls, then your point is even more contrived than I first thought.

Even that would not be contrived. If removing the NAT function does not change the security functions of a router, then the NAT obviously does not provide security, at best it implies the presence of certain security functions. But even that just isn't the case.

> But I didn’t do that, I connected my home router to my ISP, and I connected my laptop to my home router, which is providing access control for me.

Then that presumably is because your home router provides access control? What does that have to do with NAT, though?
1 comments
AmericanChopper 2559 days ago
Because without NAT, none of the devices on my home network would be able to connect to any internet connected hosts. That is, unless I assigned internet routable addresses to their network interfaces. If I did that, I’d either have to install firewalls on my devices, or expose all services running on my devices to the internet. But I don’t have to do that, because my home router uses NAT to allow all devices on my home network to connect to the internet, without allowing other devices on the internet inbound access.

If you have a point to make, then explain what it is. If you’re just gonna keep asking more contrived questions then I’ll presume you’re simply trolling.

link
vardump 2558 days ago
> If I did that, I’d either have to install firewalls on my devices, or expose all services running on my devices to the internet.

Your router could still firewall them all the same. NAT or no NAT. You would not need to have a firewall on each individual device.

link
AmericanChopper 2558 days ago
So you can replace the security controls provided by NAT with security controls provided by a firewall. How does this support the argument that NAT doesn’t provide any security controls?
link
vardump 2558 days ago
NAT is not meant for security. It just unintentionally provides some by preventing inbound connections.

That's something you can circumvent in certain scenarios. The technique is called "NAT hole punching".

link
zAy0LfpBZLC8mAC 2558 days ago
> It just unintentionally provides some by preventing inbound connections.

No, it doesn't.

link
vardump 2558 days ago
Of course you should also have a properly configured firewall.

Relying on NAT alone for security is not a great idea.

link
zAy0LfpBZLC8mAC 2558 days ago
The point is that IP doesn't work how you think it works, but I have no clue what exactly your misconception is, so I don't know what I need to explain to you to make you see the error in your reasoning.

And unfortunately, you don't even answer my questions, instead just hand-waving your way through the explanation, ignoring all the details that would show where your misunderstanding lies.

In any case, no, if you only remove NAT from your home router that also has a stateful firewall, nothing changes security-wise. It just doesn't. No need to install firewalls on all your devices or anything like that, having a firewall on your uplink router is still perfectly sufficient for that without NAT.

And if your home router really only does NAT, without a stateful firewall that prevents inbound connections, then no, your NAT-only router does not prevent inbound access to your home network.

I understand that you believe otherwise, but your belief simply is incorrect, but you won't be able to understand why if you don't dive into how a NAT gateway actually works instead of hand-waving your way through the explanation.

link
AmericanChopper 2558 days ago
> if you only remove NAT from your home router that also has a stateful firewall, nothing changes security-wise.

But now I don’t have an internet connection, because none of the devices on my home network have an internet routable IP.

link
privateSFacct 2558 days ago
NAT - regardless of firewalls or anything else - requires explicit config to allow packets to a host behind NAT. That’s is a security feature. Carrier grade NAT makes that even clearer. Note - I’ve configured non Firewall NATs - still requires explicit config. Some load balancer are basically non firewall NATs
link
zAy0LfpBZLC8mAC 2558 days ago
For one, that does not strictly follow, because you can use NAT with globally routable addresses on your home network.

But in any case, the implied assumption was that you also switch to globally routable addresses for all your devices/that we are possibly talking about IPv6, where that would be the norm anyway. The point is that actually usable internet connectivity without NAT and with a stateful firewall has exactly zero differences security-wise vs. a setup that uses NAT and a stateful firewall. That is, except for the fact that all those misconceptions that people have about NAT can make people think that their network is secure when it is not, simply because they have NAT--if you don't have NAT, you can not mistakenly believe that it protects you against inbound connections.

link