This goes against Hyrum's law. NAT provides the behavior 99.9% of users want, usually by default, out of the box. True firewalls can do the same thing, but not necessarily by default, the firewall might not even by on by default, and there's more room for misconfiguration. IPv6 is a security regression for most people, regardless of its architectural merits or semantics of what's a firewall.

You are wrong because you are being overly pedantic.

NAT provides security because normally it disallows external actors on the outside from accessing resources on the inside side.

A firewall is not required for NAT to work, although many firewalls have NAT built-in. And indeed, if a firewall is off NAT can still function (if NAT is separate).

Your definition of security is too narrow.

And saying that NAT is broken all the time, implying that NAT is not security, is ridiculous. SSH is 'broken' all the time. TLS is broken all the time.

Here's the end point: NAT effectively reduces the attack surface for a home network to the router. That is security, practically speaking.

Just like a load balancer is a kind of NAT, but I don’t think people would conflate this with a security measure / FW.

When we say "NAT" we are specifically talking about stateful one-to-many NAT implementations as found in consumer IPv4 hardware. Such a NAT is largely isomorphic to a firewall with default-deny semantics for incoming connections and default-allow semantics for outgoing connections.

There are other possible NAT implementations that are much less like a firewall, but saying that a NAT does not provide security is a misunderstanding of the terms as they are used.

Not you specifically, but others in other threads have pointet to UPnP as proof that NATs don't provide security. If the existence of UPnP means that NATs don't provide security, then the existence of PCP means that Firewalls also don't provide security.

Of course symmetric or even carrier grade NAT is not a firewall, but it's so silly to ignore real world implications thereof in an IPv4 only deployment scenario. Firewalls aren't foolproof and in real life you average NAT is more likely to be closer to that.

It's scary how somebody posting on hackernews thinks that this site is about hackers in the sense of security.

It quacks like a duck though.

RFC 4787 is useful in distinguishing NAT mapping vs filtering. Surprisingly symmetric NAT actually seems quite rare today.

The competency crisis is very real.

> NAT is not for security, it does not provide security.

It’s not for security but it absolutely does provide security and pretending otherwise continues to harm discussions.

I have a pile of ipv4-only IoT devices that have no firewalls of their own that are being protected by the symmetric NAT in my home router. Kick and scream all you want but there is security there and nothing on the internet can reach those devices unsolicited, just like a stateful v4 firewall would provide.

If the end effect of security is dropping packets NAT and Firewalls both in effect drop packets.

Its kind of just silly pedantry to say NATs aren't security because sure you can't do things like block specific ranges of IPs spamming you (or make outbound rules to control local devices) but 99% of people don't need.

I think the confusion stems from the fact that my mom's laptop with its 192.168.0.43/24 v4 address is not routable except via NAT, and people believe (rightly or wrongly) that that confers a degree of security.