[kortilla]

Sorry, you’re very confused about the NAT that is widely deployed. It’s absolutely not 1:1 NAT because that buys effectively nothing from a scaling perspective.

> But even then, the added security of a stateful firewall as provided by a router is dubious. You know what else has a "stateful firewall"? Your kernel's TCP/IP stack. It isn't gonna accept random connections from the Internet unless there is an application actively listening to a port and accepting packets.

That’s the fucking problem. All kinds of vulnerable/misconfigured software just binds to 0.0.0.0:<whatever> and calls it good. My fridge does this, my washer does this, my TV does this. This is the world of IoT.

> And I trust the Linux/NT/BSD kernel to be more secure with ensuring that than a binary firmware blob from a router manufacturer

It’s not, it takes a single API call to have a program start listening because that’s the entire job of the kernel. You have to configure a firewall on top of it to make sure vulnerable software isn’t exposed to the internet.

[Dagger2]

The kind of NAT that's widely deployed doesn't act as a firewall though. It buys you nothing from a security perspective. It's entirely possible to connect inwards over a NATing router unless there's also an additional firewall configured.

Stateful NAT does imply state tracking, which is a major component needed to implement a stateful firewall, but it is not itself a stateful firewall.