[AmericanChopper]

Because without NAT, none of the devices on my home network would be able to connect to any internet connected hosts. That is, unless I assigned internet routable addresses to their network interfaces. If I did that, I’d either have to install firewalls on my devices, or expose all services running on my devices to the internet. But I don’t have to do that, because my home router uses NAT to allow all devices on my home network to connect to the internet, without allowing other devices on the internet inbound access.

If you have a point to make, then explain what it is. If you’re just gonna keep asking more contrived questions then I’ll presume you’re simply trolling.

[vardump]

> If I did that, I’d either have to install firewalls on my devices, or expose all services running on my devices to the internet.

Your router could still firewall them all the same. NAT or no NAT. You would not need to have a firewall on each individual device.

[AmericanChopper]

So you can replace the security controls provided by NAT with security controls provided by a firewall. How does this support the argument that NAT doesn’t provide any security controls?

[vardump]

NAT is not meant for security. It just unintentionally provides some by preventing inbound connections.

That's something you can circumvent in certain scenarios. The technique is called "NAT hole punching".

[zAy0LfpBZLC8mAC]

> It just unintentionally provides some by preventing inbound connections.

No, it doesn't.

[vardump]

Of course you should also have a properly configured firewall.

Relying on NAT alone for security is not a great idea.

[zAy0LfpBZLC8mAC]

The point is that IP doesn't work how you think it works, but I have no clue what exactly your misconception is, so I don't know what I need to explain to you to make you see the error in your reasoning.

And unfortunately, you don't even answer my questions, instead just hand-waving your way through the explanation, ignoring all the details that would show where your misunderstanding lies.

In any case, no, if you only remove NAT from your home router that also has a stateful firewall, nothing changes security-wise. It just doesn't. No need to install firewalls on all your devices or anything like that, having a firewall on your uplink router is still perfectly sufficient for that without NAT.

And if your home router really only does NAT, without a stateful firewall that prevents inbound connections, then no, your NAT-only router does not prevent inbound access to your home network.

I understand that you believe otherwise, but your belief simply is incorrect, but you won't be able to understand why if you don't dive into how a NAT gateway actually works instead of hand-waving your way through the explanation.

[AmericanChopper]

> if you only remove NAT from your home router that also has a stateful firewall, nothing changes security-wise.

But now I don’t have an internet connection, because none of the devices on my home network have an internet routable IP.

[privateSFacct]

NAT - regardless of firewalls or anything else - requires explicit config to allow packets to a host behind NAT. That’s is a security feature. Carrier grade NAT makes that even clearer. Note - I’ve configured non Firewall NATs - still requires explicit config. Some load balancer are basically non firewall NATs

[zAy0LfpBZLC8mAC]

For one, that does not strictly follow, because you can use NAT with globally routable addresses on your home network.

But in any case, the implied assumption was that you also switch to globally routable addresses for all your devices/that we are possibly talking about IPv6, where that would be the norm anyway. The point is that actually usable internet connectivity without NAT and with a stateful firewall has exactly zero differences security-wise vs. a setup that uses NAT and a stateful firewall. That is, except for the fact that all those misconceptions that people have about NAT can make people think that their network is secure when it is not, simply because they have NAT--if you don't have NAT, you can not mistakenly believe that it protects you against inbound connections.