this post was submitted on 26 Feb 2024
64 points (93.2% liked)

Selfhosted

40218 readers
1002 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it's almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 17 points 8 months ago* (last edited 8 months ago) (1 children)

EDIT: Quoting @[email protected] from elsewhere in the thread because they summed it up beautifully:

NAT provides some security by sheer coincidence and not by design.


NAT is not security.

NAT is a stop-gap measure because there aren't enough IPv4 addresses that exist in the world. NAT was created so multiple Local Area Networks all over the world could use the same IP numbers and not end up with IP conflicts.

Way way way back in the early days of the internet, there were no LAN IP and WAN IPs You had your Wide Area Network (Internet) IP and that was it. Prior to NAT all devices were directly accessible via their WAN IP on the whole ass internet.

To give you an idea, IPv4 came out in 1980 and it wasn't until May of 1994 that the first RFC on NAT was published.

IPv6 is a full replacement for IPv4 that has not been fully adopted despite being around for 20 years or so. It has something like 16 undicillion (I don't recall, it's a fucking massive number) existing IP numbers, so it could take a few generations for it to run out of address space.

The thing is, it's come full circle and IPv6 now is the same as IPv4 used to be and you can access a "local" IP directly from the wider internet and Network Address Translation is not needed in the routing setup at all. (I believe it's called a Global Unicast Address, but it's been a minute, so don't quote me on that)

I reiterate NAT was never meant as a real security measure as it is simply Security Through Obscurity at best.

Further, it's not even that obscure, NAT is often misconfigured meaning internal IPs and ports leak to the wider internet regularly.

Obligatory South Park Ski Instructor:

https://en.wikipedia.org/wiki/Network_address_translation

https://en.wikipedia.org/wiki/Internet_Protocol_version_4

https://en.wikipedia.org/wiki/Internet_Protocol_version_4#Address_space_exhaustion

https://en.wikipedia.org/wiki/IPv6_address

https://en.wikipedia.org/wiki/IPv6_address#Unicast_addresses

[–] [email protected] 8 points 8 months ago

it is simply Security Through Obscurity at best.

I think this is a bit too strong. The bit about NAT that people associate with improved security is that it acts as a stateful firewall. This basically means that it allows outbound connections not inbound connections.

A preventing inbound connections does provide a meaningful reduction in attack surface. No longer is every vulnerability scan on the internet going to probe your machine and it is going to be much harder for a remote attacker to get access.

However there are two main flaws:

  1. Stateful firewalls are not perfect filters of incoming connections.
  2. Local devices still have full access to your device.