undefined | Better HN

0 pointsthelastparadise2y ago0 comments

It sounds nice on paper but typically we don't want unsolicited packets to reach internal hosts.

Yes, NAT is not a firewall --yet we don't see admins eager to put random lan hosts in the DMZ or enable UPnP.

0 comments

This is solved by statefulness: the router/firewall can be told to drop by default any unsolicited connections.

It's how things work with IPv6, which doesn't have NAT (by default): just because a host has a globally routable address does not mean it is reachable by default.

cornholio2y ago

You won't have the "NAT as a firewall" dilemma because there would be no NAT - this whole thought experiment would take place in the 1996 era, before the explosion of NATs. Expecting your /32 gateway to do any firewalling wouldn't be too different from expecting your ISP to do the same for the entire city at the /18 level.

GoblinSlayer2y ago

Is UPnP really unsolicited?

j / k navigate · click thread line to collapse