[vlan0]

And if I think back to my 30 years of IT, environments with NAT end up with lazy engineering from systems and application folks. It doesn't provide an environment that forces folks to understand their problems holistically. Thus, relying on perimeter firewalling and NAT as a large catch all. It's a bad security practice imo

[everforward]

The correct way is hard. You either have to manage firewalls on each host, or your switches need to have firewalls (I assume that’s a thing?). Hosts on the same subnet never hit layer 3 so IP-based firewalls don’t see them.

You either need very static infrastructure so you can hard-code firewalls on the hosts, or you need a system to dynamically manage the firewalls on each host, or an SDN that can sanely manage layer 2 flows. Little things like moving an app to a new server become a whole project unless you have really good tools to reconfigure the firewalls on everything that touches the app.

Then you need a way to let people self-service those rules or else security has to be involved in like everything just to do firewall rules.

It’s a good idea, but a huge pain and I’ve not seen good solutions

[thewebguyd]

That's why I like mesh overlay networks (things like Tailscale, Nebula, etc.). You can largely set host firewalls to deny all, and access services over the overlay network which is software defined and more easily managed and deployed at scale.

It doesn't solve all problems, but its a good start, and modern MDMs & Group Policy (on the Windows side) make managing host firewalls easy enough.

It doesn't solve your self-service problem, though I'd argue self-service when it comes to host firewalls or otherwise shouldn't be a thing anyway.

[fulafel]

Yep, rfc19188 addressing leads to accumulating complexity due to workarounds (end-to-end addressing is simple, there are very good reasons for that design), addressing ambiguity, and various practical security problems.

[cyberax]

Do you prefer to install firewalls on smart light switches and kettles?