alt Hacker NewsRepeating the same wrong points doesnt make you right.
Every NAT based product will have a firewall built in also by default. And it'll be deny-all except for conn-tracked.
And that L2 attack is a martian packet. Why are you allowing reserved IPs talk on public network interfaces (hello, spoofing and obvious at that)? These are always blocked due to the reasons you describe.
> Every NAT based product will have a firewall built in also by default.
Well that's the point of the article isn't it? That the firewall is the important part, not the NAT.