----- Original Message ----- > From: "William Herrin" <b...@herrin.us>
> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth <j...@baylink.com> wrote: >> > From: "Justin Streiner" <strein...@gmail.com> >> > 4. Getting people to unlearn the "NAT=Security" mindset that we were forced >> > to accept in the v4 world. >> >> NAT doesn't "equal" security. >> >> But it is certainly a *component* of security, placing control of what >> internal >> nodes are accessible from the outside in the hands of the people inside. > > Every firewall does that. What NAT does above and beyond is place > control of what internal nodes are -addressable- from the outside in > the hands of the people inside -- so that most of the common mistakes > with firewall configuration don't cause the internal hosts to -become- > accessible. > > The distinction doesn't seem that subtle to me, but a lot of folks > making statements about network security on this list don't appear to > grasp it. You bet. I knew someone would chime in, but whether they'd be agreeing with me -- as you are -- or yelling at me, wasn't clear. It's a default deny (NAT) vs default allow (firewall) question, and I prefer default deny -- at least inbound. You *can* run NAT as default deny outbound, too, but it's much less tolerable for general internet connectivity -- in some dedicated circumstances, it can be workable. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
