On Wed, May 04, 2022 at 04:27:52AM +0800, Jeremy Ardley wrote: [...] > [...] NAT in itself > provides quite good security because internal hosts can't be scanned by > attackers. Uh, oh. I think general opinion these days disagree with this statement strongly (see e.g. [1], but this has been rough consensus since at least the 2000s). That said, even "normal" hands-off firewalls don't help against the most widespread threats of these days: malicious actors that are located inside your network: be it some random javascript running in your browser, a printer phoning home or your so-called smart TV. All of those will connect to outside things from the inside, and a no-trouble hands-off firewall is configured to allow just that. The known attacks against NAT dwindle given the above-mentioned cornucopia :-) Don't get me started on things like UPMP's NAT-PMP [2] which are explicitily designed for clients to punch holes into the firewall. Cheers [1] https://security.stackexchange.com/questions/8772/how-important-is-nat-as-a-security-layer [2] https://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol -- t
Attachment:
signature.asc
Description: PGP signature