Most firewalls are default deny. Routers are default allow unless you put a filter on the interface.
NAT adds nothing to security (Bill and I agree to disagree on this), but at best, it complicates the audit trail. Owen > On Feb 16, 2024, at 15:19, Jay R. Ashworth <[email protected]> wrote: > > ----- Original Message ----- >> From: "William Herrin" <[email protected]> > >> On Fri, Feb 16, 2024 at 2:19 PM Jay R. Ashworth <[email protected]> wrote: >>>> From: "Justin Streiner" <[email protected]> >>>> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced >>>> to accept in the v4 world. >>> >>> NAT doesn't "equal" security. >>> >>> But it is certainly a *component* of security, placing control of what >>> internal >>> nodes are accessible from the outside in the hands of the people inside. >> >> Every firewall does that. What NAT does above and beyond is place >> control of what internal nodes are -addressable- from the outside in >> the hands of the people inside -- so that most of the common mistakes >> with firewall configuration don't cause the internal hosts to -become- >> accessible. >> >> The distinction doesn't seem that subtle to me, but a lot of folks >> making statements about network security on this list don't appear to >> grasp it. > > You bet. I knew someone would chime in, but whether they'd be agreeing > with me -- as you are -- or yelling at me, wasn't clear. > > It's a default deny (NAT) vs default allow (firewall) question, and > I prefer default deny -- at least inbound. You *can* run NAT as default > deny outbound, too, but it's much less tolerable for general internet > connectivity -- in some dedicated circumstances, it can be workable. > > Cheers, > -- jra > -- > Jay R. Ashworth Baylink > [email protected] > Designer The Things I Think RFC 2100 > Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII > St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
