[jfindley]

So how are you, with your publically routed IP of (for example) 56.10.10.100 planning to connect to the GP, who has (for example) a public egress IP of 73.100.100.10, but is in fact using NAT, and his desktop's real IP is 192.168.1.20? I feel like you might be trying to point out that NAT devices can be configured to forward all traffic to some backend device - while true this is disingenous because they are basically always not configured like this.

I realise NAT is unpopular with networking purists, but trying to claim that it doesn't prevent inbound connections seems to be overstating your case quite severely. I'd also note that if your firewall is stateful or not is irrelevant for the point you were trying to make - oldfashioned stateless firewalls can also block inbound connections just fine.

[oarsinsync]

It's less of a 'networking purist', and more of a 'order of events' thing.

If I send a packet from SRCIP1:SRCPORT1 to DESTIP1:DESTPORT1, and his real desktop IP is DESTIP2, the first event to occur is the stateful firewall checks if there's a session that exists between SRCIP1:SRCPORT1 and DESTIP1:DESTPORT1.

If the session does not exist, the firewall drops the connection.

If the session does exist, the next step is to hit the NAT table, to look up what to translate, for session SRCIP1,SRCPORT1,DESTIP1,DESTPORT1 into SRCIP2,SRCPORT2,DESTIP2,DESTPORT2.

Note that it's possible that source ip, source port, destination port may not change in this scenario, where there's an RFC1918 DESTIP2. It depends on the NAT configuration.

So again, strictly speaking, NAT does not prevent the connection. The stateful firewall does. NAT does not protect you, the firewall does.

"Old fashioned stateless firewalls" are also not widely deployed on consumer grade CPEs.

[jfindley]

That only allows you to send replies along an existing TCP stream. In order to exploit this to compromise some home desktop, you first must persaude them to connect to you. Except... Oops! You now aren't bypassing NAT at all, you're just yet another malicious host that you tricked the user into connecting to.

Every argument I've heard against NAT being an effective practical mitigation for home users runs smack into the problem of being a oh-well-actually scenario that's fantastically contrived and doesn't represent a realistic threat model for the average home user.

[oarsinsync]

I'm not talking about threat models or exploits, I'm talking about the order of events, how most consumer grade CPEs actually work.

For an inbound connection again, there is a packet filter first, that will permit inbound connections based on whatever filter parameters are defined (usually matching established sessions, or new sessions filtered by just protocol and dport), and if that clears, the second step is NAT.

In both cases, the filter happens before the translation.

[411111111111111]

Its just basically impossible to get a consumer grade nat without an inbuilt stateful firewall.

He's correct that the NAT doesn't stop the connection, but the stateful firewall is another service on the same device so you will never really notice the difference

With the theoretical situation of a NAT without a firewall a connection is technically possible, as long as you are able to inspect any previously sent TCP packets and use the sender bits to route your new packets

[zAy0LfpBZLC8mAC]

> So how are you, with your publically routed IP of (for example) 56.10.10.100 planning to connect to the GP, who has (for example) a public egress IP of 73.100.100.10, but is in fact using NAT, and his desktop's real IP is 192.168.1.20?

By sending a packet to them that has the destination address 192.168.1.20?

You seem to be making the assumption that the only way to send a packet to the WAN interface of a NAT router is through the public internet. While being able to do that widens the attack surface, it absolutely is not the only way, and your threat model is broken if you assume that it is.

> I realise NAT is unpopular with networking purists, but trying to claim that it doesn't prevent inbound connections seems to be overstating your case quite severely.

No, that belief is one of the big myths that keeps people configuring insecure networks.

> I'd also note that if your firewall is stateful or not is irrelevant for the point you were trying to make - oldfashioned stateless firewalls can also block inbound connections just fine.

That's true and it's not. Of course, you can block all connections with a stateless firewall, and thus obviously also block all inbound connections. But a stateless firewall is very limited in selectively blocking specifically inbound connections across random protocols, and especially so if it doesn't know detailed information about your network and services to infer what constitutes a packet establishing a connection, while with a stateful firewall you can essentially just say "drop inbound connections" without any further details about your networks, and it'll do a good job at it.

Plus, you could argue about whether, for example, dropping TCP SYNs but forwarding all other TCP packets actually counts as "blocking inbound connections", given that tons of potential "inbound packets" will be forwarded to your internal systems and you really rely on your internal systems not accepting any of them as "establishing a connection" or possibly just being vulnerable to those "inbound but not establishing a connection" sort of packets.

[jfindley]

Perhaps you could expand on the threat model you're talking about where you, as a remote attacker, can somehow get a packet with an RFC1918 dest IP sent to the WAN port of your intended victims home router.

It's perhaps worth pointing out that this discussion is very much in the context of a home network, so well-actually arguments about "maybe I have a GRE tunnel set up to this random users home router" or "maybe I'm their ISP and want to break into the router I supplied them with" won't really carry much weight - you mentioned the concept of a broken threat-model, but a threat model needs to be grounded in reality, and the reality is that unless you go far out of your way to do silly things NAT is a reasonable and practical protection for home users against accidentally exposing services on their network to the internet at large.

[zAy0LfpBZLC8mAC]

> Perhaps you could expand on the threat model you're talking about where you, as a remote attacker, can somehow get a packet with an RFC1918 dest IP sent to the WAN port of your intended victims home router.

The threat model is really simple: If it's not under your control, then you shouldn't needlessly rely on it for security. And from the point where the wires leave your house, it's not under your control.

A random selection of possible attack scenarios:

- Hooking up a DSLAM to your DSL somewhere along the path to the CO.

- Compromising your ISP's edge routers through vulnerabilities/hard-coded passwords.

- If your router happens to also announce its RFC1918 prefix to the outside world and your ISP's misconfigured edge routers propagate those routes in their access network, being your neighbour might be enough.

- If your ISP is incompetent at configuring VLANs so you end up in the same VLAN as other customers in your area, again, being your neighbour might be enough.

(And yes, those are things that have happened.)

> It's perhaps worth pointing out that this discussion is very much in the context of a home network,

Except it really isn't. For one, the context was the home network of someone who would prefer to assign a public prefix on their home network. That is probably very much not the kind of stereotypical home network that is generally meant when you speak about "a home network" (i.e., a bunch of consumer devices on a WiFi). And also, the distinction really is only relevant in so far as specific home networks generally are not targeted, but that doesn't really change that it's still a bad idea to completely unnecessarily have a NAT run without a stateful firewall (the NAT needs to keep all the state that the firewall needs to keep anyway), and that as soon as you do have that firewall, NAT does not add anything at all.

So, yes, it might be that in some particular setups NAT without a stateful firewall is good enough for your particular needs. But that doesn't change that the general idea that "NAT prevents inbound connections" needs to die, because it is (a) far from true in the general case and (b) even where/in so far as it is true, you are almost always better off with a stateful firewall instead, so it's a bad rule of thumb both because you actually have to understand the limits of where it applies to not end up vulnerable and because the alternative actually works better with no downsides, except in rare circumstances, and even then, it's only an economical downside (namely: buying a new device that does things properly instead of using what you already have).

[jfindley]

Couple of points: Most of those vectors would represent extreme levels of paranoia for the average home user. If you have sufficiently motified and skilled adversaries that they are prepared to start hijacking your DSL connection, you're probably screwed before you start.

Secondly: I never said you shouldn't also have a firewall - indeed basically all NAT routers are also firewalls, and both are active by default. The added protection NAT offers is that even if an inexperienced user accidentally opens up too much in their firewall, it's unlikely that this will make their internal home network publically accessible because ordinarily attackers aren't going to be able to send packets there. This is a real and useful feature for users who don't count the Mossad in their home network threat model (which is likely almost everyone reading this).

[zAy0LfpBZLC8mAC]

> Couple of points: Most of those vectors would represent extreme levels of paranoia for the average home user.

That's not really a useful measure, though, because this can be said about every single vulnerability used in a mass compromise up to the second when that mass compromise happens. The difference between "extreme levels of paranoia" and "common sense security practice" is someone somewhere deciding to use that particular vulnerability in some malware because random circumstances made a bunch of vulnerabilities that individually are kinda useless align to make an exploit chain.

> If you have sufficiently motified and skilled adversaries that they are prepared to start hijacking your DSL connection, you're probably screwed before you start.

Yes, that is probably true. But for one, that's not the only option I listed, and also, it doesn't change that the blanket statement "NAT prevents inbound connections" is not true and is easily misapplied by people who do not understand the details. Notice how noone ever says "NAT prevents inbound connections well enough for low-value targets, kinda"? And so, people actually believe that it does and then set up vulnerable company networks.

> The added protection NAT offers is that even if an inexperienced user accidentally opens up too much in their firewall, it's unlikely that this will make their internal home network publically accessible because ordinarily attackers aren't going to be able to send packets there.

Talking about contrived examples ... in consumer devices, you rarely can actually configure firewall rules? What you can configure is "port forwarding", and that then automatically implies that tt is actually open not not just NATted. So, at best that applies to inexperienced users setting up somewhat professional equipment, presumably in a context where security matters a bit more and targeted attacks are more likely, and where the belief that "NAT prevents inbound connections" now actually puts them at risk?

edit: And not only does it put them at risk, it also makes it hard for them to notice that they are vulnerable. If you have a firewall without NAT, it's trivial to check that inbound connections are refused. If a random access from anywhere on the internet is rejected, then your default DENY rule is probably effective. With NAT, not so much.

[jfindley]

> That's not really a useful measure, though, because this can be said about every single vulnerability used in a mass compromise up to the second when that mass compromise happens.

No. The difference between the vectors you described and "mass compromise malware" is that your vectors are targetted at one (or a very small number of) individual user(s), who are probably screwed either way, if a skilled attacker really wants to mess with them this badly. There is no realistic way to hijack DSL connections en-masse, and an attacker skilled enough to compromise an entire ISP to the point they can start doing these sorts of things has far better options available to them than anything we're talking about here. There's a huge difference between mass-deployed malware and complex targetted attacks, which is a point you seem to continually miss in this thread.

> it doesn't change that the blanket statement "NAT prevents inbound connections" is not true

More verbosely this could have been expressed as "NAT prevents inbound connections unless you have a NAT device that for some reason accept incoming packets for which it has no session and pick a device on the private network to route these packets to, not to mention the difficulty of getting those packets there in the first place". This "unless" is not normally needed though, as this is widely regarded to be a sufficiently difficult thing to achieve it's not worth mentioning.

>in consumer devices, you rarely can actually configure firewall rules?

On every consumer firewall/NAT box I've ever seen, it was possible to configure firewall rules. Perhaps this is a regional difference?

I also note that although you've presented a couple of ways you might be able to send arbitrary packets at the public IP of the NAT device (although I strongly dispute how practical they are), this isn't yet sufficient to manage to connect to arbitrary machines behind the NAT device - you must also find a way to force the NAT device to accept packets for which it has no existing session. Otherwise you're really just limited to things like tcp hijacking to try to MiTM a session - something you can likely do regardless of the presence of a firewall, if you really care enough.

[iso1210]

Why wouldn't rpf prevent the packet from being routed?

[zAy0LfpBZLC8mAC]

You mean RPF as in "reverse path filter"? If so: Why would it?!

[iso1210]

Oh yes, it's a packet aiming to 192.168, not a spoof packet from 192.168. Ignore me, I'll go back to sleep :D