alt Hacker NewsI wrote that comment, and you can write to yourself how many times you want that NAT is not a firewall.
The truth of the matter is that NAT absolutely _is_ a firewall in _practice_. Not in theory "because it doesn't drop packets" or "because it was not meant to be a security feature". But in the actual real-world practice.
It effectively protects most networks from most attackers without ANY additional configuration, making it inherently foolproof.
Here, I put a private key for a wallet with 0.01 bitcoin at this address: http://192.168.80.26/ Go on and take it. It's not protected by anything else I disabled everything but NAT. Heck, here's my real IPv4 even: 172.56.107.111
Is this a _good_ reason to not do IPv6? No. But it absolutely _is_ a reason and needs to be acknowledged.
Replies
If you don't have RPF enabled on your router in theory your upstream peer can send traffic to 192.168.80.26 and it would pass through. Reply traffic may or may not be natted depending on how it's entered in the connection tracking table.
There may be situations where your router can be tricked too, I can't think of one off the top of my head which wouldn't also apply to a stateful firewall sitting on a routed network segment with no nat, and it would typically be a vulnerability to patch
But your principal is right -- it's far harder to exploit than just connecting to an ip of say 2001:172:56:107:111::192.168.80.25 on port 80
> The truth of the matter is that NAT absolutely _is_ a firewall in _practice_.
No it's not. NAT is not ever a firewall. By definition it is not.