[icedchai]

So in other words, even without a firewall, it still provides some level of security. If your attacker can't route to your target's addresses because they are private RFC1918, they're "blocked" for all practical purposes. Yes, I know they're not technically blocked... but the typical attacker 10 hops away isn't going to know...

[zAy0LfpBZLC8mAC]

On the other hand, this might also give other people a false sense of security. Most people who tell you that "NAT provides security" think that NAT somehow drops packets, and if your network is actually targeted, this myth might well be the reason why someone ends up downloading all your files by connecting to your file server through your NAT gateway.

[Dagger2]

No... it doesn't drop connections, so it doesn't provide any security.

[icedchai]

In practical terms, it still provides some (low) level of security. If an attacker can't get IP packets to your machine because it's on an un-routable address, they can't attack it. If your attacker is getting "cooperation" from your ISP to route to it, you have bigger things to worry about it.

Obviously you should really use a firewall...

[Dagger2]

It won't prevent an attacker from getting IP packets to your machine. How could it do that, when it only acts on outbound connections and its only act is to change the apparent source address of those connections?

[icedchai]

Did you miss "because it's on an un-routable address" part? If there's no route to your machine from an attacker, they can't attack you.

[Dagger2]

The discussion was about the behavior of PAT, and PAT has no influence on whether or not an attacker has a route to you.

[icedchai]

The discussion is about NAT and PAT in general. 99% of the time it is used with unrouteable private addresses. This means even in the absence of a firewall there is still some level of security. End of story.