[kortilla]

It’s not nonsense though. The implementation of NAT literally implies a stateful firewall.

I want ipv4 dead as well but to bury your head in the sand and pretend NAT doesn’t offer the protections it does only hurts your argument.

> Besides Internet was always supposed to work the way IPv6 would allow.

Yep, but the real world - where all of the unpatched IoT devices are running - has NAT at basically every home protecting devices from unsolicited connections.

[10000truths]

NAT doesn't imply stateful firewall at all. NAT is literally just rewriting IP addresses on incoming/outgoing packets. I could have a single machine behind a middlebox, and the middlebox could just rewrite the IP source/destination of egress/ingress packets, and that would be NAT - and I'd still be able to successfully receive incoming packets from the big bad web. In fact, you can do this without the middlebox using an iptables MASQUERADE rule.

But even then, the added security of a stateful firewall as provided by a router is dubious. You know what else has a "stateful firewall"? Your kernel's TCP/IP stack. It isn't gonna accept random connections from the Internet unless there is an application actively listening to a port and accepting packets. And I trust the Linux/NT/BSD kernel to be more secure with ensuring that than a binary firmware blob from a router manufacturer.

[kortilla]

Sorry, you’re very confused about the NAT that is widely deployed. It’s absolutely not 1:1 NAT because that buys effectively nothing from a scaling perspective.

> But even then, the added security of a stateful firewall as provided by a router is dubious. You know what else has a "stateful firewall"? Your kernel's TCP/IP stack. It isn't gonna accept random connections from the Internet unless there is an application actively listening to a port and accepting packets.

That’s the fucking problem. All kinds of vulnerable/misconfigured software just binds to 0.0.0.0:<whatever> and calls it good. My fridge does this, my washer does this, my TV does this. This is the world of IoT.

> And I trust the Linux/NT/BSD kernel to be more secure with ensuring that than a binary firmware blob from a router manufacturer

It’s not, it takes a single API call to have a program start listening because that’s the entire job of the kernel. You have to configure a firewall on top of it to make sure vulnerable software isn’t exposed to the internet.

[Dagger2]

The kind of NAT that's widely deployed doesn't act as a firewall though. It buys you nothing from a security perspective. It's entirely possible to connect inwards over a NATing router unless there's also an additional firewall configured.

Stateful NAT does imply state tracking, which is a major component needed to implement a stateful firewall, but it is not itself a stateful firewall.

[linksnapzz]

"Beware of appeals to the 'real world'; and to what it supposedly demands. It is always an invitation to leave unchallenged the speaker's tacit assumptions."

[kortilla]

Not demands. It’s just the reality of where we are. People who claim everything will improve by allowing p2p connections by default are woefully out of touch with the shit show that is IoT.

[linksnapzz]

The IoT shitshow is never going to improve, if IoT device makers can't be made to stop offloading the cost of their laziness and bad systems thinking onto a network layer that was never intended, and is poorly suited, to be the ne plus ultra of device security.