PF submission stuck waiting for nearly 4 years

Oh I looked, just to make sure I wasn't the crazy one. You're the one asserting without evidence that NAT provides no (or little, not clear) security benefits and won't acknowledge which ones it does.
 
Jose said:
The absence of NAT is one of the reasons for poor adoption of IPv6. We learned in the '90s that putting every machine on the Internet with a public IP is a really bad idea.
Click to expand...
From what I understood, NAT would not be needed at all with IPv6.

I never considered NAT a security feature - if I had had the abundance of static addresses to make my fridge and lawnmower reachable planetscope, I would have done so right from the beginning.
But now, over many years I implicitly trained the perception that my intranet is entirely independent from anything else, and public connectivitiy is just a very limited add-on.
Indeed I do consider moving to IPv6, but I still fail to develop some proper vision on how I could tackle this and how I might make it look in the end: I am currently using three independent NAT and five openvpn to wire my stuff together, and I have nice code to drop NATs and forwards into IPFW at arbitrary places and then auto-create the proper rules. Looks like lots of effort to move all this to IPv6. Security then adds the additional handicap that this has to be done in a precise and thorough fashion.
 
Yep. You're not the crazy one. Excuse me, I was under the impression of talking with professionals here.
 
I'm not your teacher. If you can't find anything with two simple keywords on Google, you might be in the wrong profession.
 
And I'm not your student. You don't get to give me homework. I'm also not taking career advice from you, thank you.
 
Bottom line: I couldn't care less. You're wrong about NAT, that's just a fact, and I really don't care at all if you see it or not.
 
PMc said:
From what I understood, NAT would not be needed at all with IPv6.
Click to expand...
That was the perception in the late '90s and indeed how IPv6 was designed. Then more and more Windows machines started to get on the Internet with hilarious results.

The '90s way is making something of a comeback with the defense in depth stuff, but that's not practical yet if you don't have a dedicated team of security professionals working on it.

Edit: In Windows' defense, it wasn't designed to be connected to a worldwide internetwork. Even LAN support was kinda grafted on after the fact. What happened is not at all surprising in retrospect.
 
Cool, more nonsense. Connection tracking works for IPv6 as well, if you want to rely on THAT. No need for NAT. You can still block anything "incoming", but allow responses. With all the same loopholes. NAT just isn't a factor there.
 
First it's "I won't explain myself" and now it's "of course what you said is true, but you don't need NAT for that" which is what I was saying in the first place?

The things you "don't need NAT for" but that NAT provides are not wrapped up in such a way that it's a bullet point on a box for consumer deployment for IPv6. That's the whole point.
 
Jose said:
That was the perception in the late '90s and indeed how IPv6 was designed. Then more and more Windows machines started to get on the Internet with hilarious results.

The '90s way is making something of a comeback with the defense in depth stuff, but that's not practical yet if you don't have a dedicated team of security professionals working on it.

Edit: In Windows' defense, it wasn't designed to be connected to a worldwide internetwork. Even LAN support was kinda grafted on after the fact. What happened is not at all surprising in retrospect.
Click to expand...
I agree. But then, isn't it a systemically bad approach to boggle the lower level designs (interconnectivity) due to security weaknesses of some upper level instances (windows systems)?
 
Zirias said:
LOL. Seriously. Do a 2-minutes research, Google is enough.
Click to expand...
With all respect, that's bad style of arguing. If it's so obvious & easy, you could come up with just a few cues, which would be enough to correct any misconception that an informed reader might have. I know you're not elitarian, but some of your statements could give other readers the impression that you are.
 
PMc said:
I agree. But then, isn't it a systemically bad approach to boggle the lower level designs (interconnectivity) due to security weaknesses of some upper level instances (windows systems)?
Click to expand...
"No plan survives first contact with the enemy"

By the measure of connectivity, firewalls are a "design flaw." If we didn't have NAT, had freeflowing IPv6 addressing, and Windows continually made networking decisions assuming it was on a friendly, firewalled network, some kind of firewall standard would have appeared and we'd use those boxes instead of "routers." Instead, due to more computers than IP assignments, the necessity of NAT papered over most of the problems.
 
PMc said:
I agree. But then, isn't it a systemically bad approach to boggle the lower level designs (interconnectivity) due to security weaknesses of some upper level instances (windows systems)?
Click to expand...
I agree in principle, but in practice bugs happen. For example, I run Nextcloud on my internal network, but I don't trust it enough (yet) to expose it to the Internet. It's possible that an attacker could set up a tunnel into my internal network using Upnp or "full cone NAT" and thereby expose my Nextcloud to the Internet.
Another example is net/netatalk3. It was been abandoned upstream for Samba, and I can't adopt Samba for reasons that are off-topic. I'm migrating away from Apple and will eventually not need Netatalk for Timemachine, but that's going to take some time. I don't want to expose Netatalk to the Internet, and you shouldn't want to either.
My network is still too old-school in that it has a hard and crunchy outside and a soft and gooey inside. I need to break up the internal network into three. One for wireless devices were guests' random phones will be allowed, one for devices like Playstations and smart tvs, and one for the wired back-end services networks. I've got all the hardware. I just gotta motivate.
 
Jose said:
It's possible that an attacker could set up a tunnel into my internal network using Upnp or "full cone NAT" and thereby expose my Nextcloud to the Internet.
Click to expand...
And think of all that IoT stuff.
I think most people want things "work" as "normal", and more security-aware people for example, who don't see a benefit in the IoT stuff chatter over public internet, can just block Upnp and all that.
 
Mjölnir said:
I know you're not elitarian, but some of your statements could give other readers the impression that you are.
Click to expand...
Elitism would be, for example, to put someone down for asking "stupid questions". Insisting on something while literally ONE quick request on Google will show tons of resources explaining how this is wrong is a whole other story, and I politely refuse to play this silly game.
 
Nobody knows what you're talking about anymore. You'll type all these words in about how smart you are, but not the "two simple keywords" we're supposed to be searching for to understand your cryptic "ha ha, if you only could use google" taunts.

I'm sorry we can't have a discussion over the sound of how smart you are?
 
Uh, a classic, if YOU don't understand something, it's magically everyone. Only serves for self-assurance of course. But for that great secret what to search for, maybe try "NAT security". Surprise.
 
Zirias said:
Elitism would be, for example, to put someone down for asking "stupid questions". Insisting on something while literally ONE quick request on Google will show tons of resources explaining how this is wrong is a whole other story, and I politely refuse to play this silly game.
Click to expand...
It would take you about the same time to just type in a few keywords/cues than you need to type in this answer about "this silly game". BTW I'd like to note that I consider to prefer DuckDuckGo instead of Giggle should be natural on a FreeBSD forum; not only IIRC it runs on FreeBSD, it's also driven by FreeBSD freaks? Back on topic, I'm currently reading NAT Router Security Solutions, that was among the 1st in the list ddg gave me.
 
Yeah, uh, what? "NAT Security" gives us what you're claiming is... nonsense? Wouldn't this be the opposite of what you're trying to get us to understand?
 
Just for example:

General (boring) stuff: https://weberblog.net/why-nat-has-nothing-to-do-with-security/
Example for a concrete "attack" on a NAT implementation: https://0day.work/an-example-why-nat-is-not-security/

The latter is btw not really related to NAT but to the idea of "connection tracking" filters. The fact that the router also translates addresses has very little impact. Part of the misconception probably is that you *need* connection tracking to make NAT work at all for clients behind it.

edit: and for some more theory, there's also conflicting goals. The purpose of NAT is to provide connectivity close to what would be possible without it, so, the more packets it *CAN* route, the better. For UDP, a sane approach is e.g. the patch mentioned here, or in general a strategy with a FIXED mapping that will ONLY change when the router learns a new one triggered by some other host "inside".

This is more or less the opposite of what a firewall should do.
 
You must log in or register to reply here.
Back
Top