Remix clone Hacker News

new | show | ask | jobs Github

▲

everdrive 2 days ago

> hollowing can crash the target process if the payload isn't carefully matched to the host process architecture.

So here's the thing. My ISP does _not_ rotate my IPv4 address, but _does_ rotate IPv6. Why? I'll never know.

Anyhow. I'm not confused about NAT vs. firewalling. No one who dislikes IPv6 is confused by this.

▲

throw0101c 2 days ago | parent [-]

> Anyhow. I'm not confused about NAT vs. firewalling. No one who dislikes IPv6 is confused by this.

"No one"; LOL. I've participated in entire sub-threads on HN with people insisting that NAT = security. I've cited well-regarded network educators/commentators and vendors:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

* https://www.f5.com/resources/white-papers/the-myth-of-networ...

▲

aeonik 2 days ago | parent [-]

That article is making a narrower claim than you're implying. It argues that NAT is not a security mechanism by design and that some forms of NAT provide no protection, which is true.

It also explicitly acknowledges that NAT has side effects that resemble security mechanisms.

In typical deployments, those side effects mean internal hosts are not directly addressable from the public internet unless a mapping already exists. That reduces externally reachable attack surface.

So, the disagreement here is mostly semantic. NAT is not a security control in the design sense, but it does have security-relevant effects in practice.

I personally do consider NAT as part of a security strategy. It's sometimes nice to have.

	▲	Dagger2 2 days ago \| parent [-]
		Both of those articles are actually wrong. They say "if an unknown packet arrives from the outside interface, it’s dropped" and "While it is true that stateful ingress IPv4 NAT will reject externally initiated TCP traffic" respectively, but this is in fact not true for NAT, which you can see for yourself just by testing it. (It's true for a firewall, but not for NAT.) The biggest security-relevant effects of NAT are negative. It makes people think they're protected when they aren't, and when used with port forwarding rules it reduces the search space needed to find accessible servers. I agree it can be a useful tool in your toolbox sometimes, but a security tool it is not.