Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
xl-brain 4 hours ago

The tension here is the difference between theory and reality. In reality, IPv4 NAT is the only thing protecting most users in their homes. If you force IPv6 on this same population, you have to give them an equivalent posture by default.

This is kind of like writing an argument that motorcycles are not unsafe because they lack 4 wheels. This is true, but if you put my grandmother on one and ask her to drive across town, she would not survive it.

da_chicken an hour ago | parent | next [-]

No, the reality is that every modern network device running NAT for a user device network is also already a fully stateful firewall, because the software required to do one is virtually identical to the other.

You can't buy a home router with NAT and no firewall, and no home routers ship that don't also have a default deny rule on that firewall. The same is true for SOHO routers and effectively every consumer network gateway device you might buy.

You literally have to go well out of your way to find a network device capable of NAT that can't function as a stateful firewall, and when you find it, it's likely to be carrier-grade. In other words, not intended to be capable of any security at all. The amount of NAT processing it's intended to handle will challenge the hardware enough as it is.

dissent 2 hours ago | parent | prev | next [-]

NAT isn't protecting them. Not being on the public internet at all is protecting them.

NAT is then unprotecting them a little by letting them punch out again. It's super easy for routers to implement this behaviour by default if your LAN is publicly addressable, and removes a whole class of exploits caused by applications making NAT hacks.

denkmoon 4 hours ago | parent | prev | next [-]

This is entirely untrue. Every shitty router shipped by ISPs this side of the doctom bubble has a stateful firewall enabled by default. NAT is distinctly not the only thing protecting most home users. Not to mention every OS I know of shipping with its own firewall enabled with default deny on inbound.

xl-brain 4 hours ago | parent [-]

You are stuck on the theory of what is protecting this population. In practice, less than 1% of these users can or will turn NAT off.

Can you imagine how great things would work out with a public IP on all your nana's computers, NAT turned off, protected by the prowess of her Arris gateway's stateful firewall?

mrsssnake 3 hours ago | parent [-]

With NAT turned on nana's computer is still protected by the same Arris gateway.

Dagger2 4 hours ago | parent | prev | next [-]

That's not the case at all. You could disable their NAT and they wouldn't lose any protection whatsoever.

xl-brain 3 hours ago | parent [-]

Yes, it is the case. In the real world, there are malfunctioning ALGs, permissive defaults, and connectionless protocols that are poorly tracked by these sloppy, underpowered "SPI" devices.

Dagger2 3 hours ago | parent [-]

It's not, because in the real world NAT only affects your outbound connections. That means that turning it off only changes the behavior of outbound connections, not inbound ones.

Any inbound connection that would have worked before you turned it off will still work afterwards, and any that wouldn't have worked before will still not work afterwards.

xl-brain 3 hours ago | parent [-]

Think about what 99% of SOHO users have: PAT (Nat Overload). This NAT impacts the way a connection is established in BOTH directions. Inbound connection attempts from the Internet to the NAT public IP address of the SOHO router can go no further than the router. We are talking what 99% of users have installed.

Maybe this is the reason for some of the disagreement. I am focusing on what is installed at 99% of user installations (PAT). I would agree with the comments that a 1-to-1 NAT offers no EXTRA security.

Dagger2 2 hours ago | parent [-]

That's the type of NAT I've been talking about the entire time. It doesn't do anything to inbound connections unless you explicitly tell it to.

Connections to the router's IP address go to the router, but you need to consider what happens to connections that go to IP addresses on the network behind the router too.

mrsssnake 3 hours ago | parent | prev [-]

France with >85% IPv6 adoption mostly made of grandmothers driving a motorcycles across the town manually delivering packets like in their youth.

xl-brain 3 hours ago | parent [-]

https://arxiv.org/abs/2509.04792?

"Collectively, our results show that NAT has indeed acted as the de facto firewall of the Internet, and the v4-to-v6 transition of residential networks is opening up new devices to attack."