Today I Learned
What did you learn today? Share it with us!
We learn something new every day. This is a community dedicated to informing each other and helping to spread knowledge.
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
Rules (interactive)
Rule 1- All posts must begin with TIL. Linking to a source of info is optional, but highly recommended as it helps to spark discussion.
** Posts must be about an actual fact that you have learned, but it doesn't matter if you learned it today. See Rule 6 for all exceptions.**
Rule 2- Your post subject cannot be illegal or NSFW material.
Your post subject cannot be illegal or NSFW material. You will be warned first, banned second.
Rule 3- Do not seek mental, medical and professional help here.
Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.
Rule 4- No self promotion or upvote-farming of any kind.
That's it.
Rule 5- No baiting or sealioning or promoting an agenda.
Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.
Rule 6- Regarding non-TIL posts.
Provided it is about the community itself, you may post non-TIL posts using the [META] tag on your post title.
Rule 7- You can't harass or disturb other members.
If you vocally harass or discriminate against any individual member, you will be removed.
Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.
For further explanation, clarification and feedback about this rule, you may follow this link.
Rule 8- All comments should try to stay relevant to their parent content.
Rule 9- Reposts from other platforms are not allowed.
Let everyone have their own content.
Rule 10- Majority of bots aren't allowed to participate here.
Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.
Partnered Communities
You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.
Community Moderation
For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.
view the rest of the comments
Please explain what I got wrong. I'm not perfect, and I might have made a mistake in my explanation, but I don't think I got the networking wrong...
With NAT: Inbound to laptop/printer from Internet is blocked by default because there is no globally routable path to them. Devices are only exposed if you intentionally publish: firewall rule + port-forward.
Without NAT on ipv4, (every device has a pubic IP): inbound to your laptop/printer is blocked by policy.
Same security if configured properly, NAT just makes it so you don't even have to worry about a whole class of exposure, because there isn't a path to block.
Must be a nightmare to manage the scenario in OP.
I feel like you're forgetting about subnetting and default gateways. You can't just route to an internal host if there isn't a route. That route, if designed correctly, will be behind a firewall that has things subnetter to default deny all for anything "internal" that shouldn't be publicly routable.
I’m not forgetting subnetting/default gateways... that’s exactly what I’m describing.
If you assign public addresses to internal hosts, then by definition your ISP routes that public prefix to your edge, and your edge routes it to the internal subnets. At that point, reachability exists (there is a route); whether traffic gets through is entirely a question of firewall correctness. One bad zone assignment or an overly-broad “temporary” allow can make a host directly reachable.
With typical IPv4 NAT/PAT, the default posture is different: those internal addresses are not globally routable, and there is no inbound mapping/state unless you intentionally publish something (port-forward/reverse-proxy/VPN). So a lot of “oops” mistakes fail closed. NAT isn’t a security control in theory, but it is a very real operational guardrail against accidental internet exposure.
And on IPv6: the architecture isn’t “give everything a public IP and call it done.” IPv6 can use global addresses with a default-deny stateful firewall, but the IETF also standardized ULA (fc00::/7) specifically for local communications not expected to be routable on the public Internet.
IPv4 NAT was largely driven by address exhaustion, but the reason people keep defending “internal is not directly addressable” is the exposure boundary and change-control safety margin it provides, not a belief that NAT magically replaces a firewall.
Point being there is still a firewall in place with a default deny. Nothing fundamentally has changed.
I actually appreciate your diagram because it makes it easy to see. The firewall will not route packets you haven't expressly opened in both scenarios.
That's not a situation that is going to arise since devices should block all incoming by default. You could need to explicitly poke holes in the Firewall.
Again, it's a free way to eliminate an attack surface.
It's a situation that can easily arise... you temporarily disable firewall on device to test something, you install a program that exposed a port and don't realize it, whatever the case, without a public IP that device isn't reachable from anywhere except the upstream firewall, which requires explicit NAT/port forwarding rules to allow access. Your devices are isolated by default and must be explicitly routed by policy.
Without NAT/ULA (private ipv6 addresses), your devices are routable by default and must be isolated by explicit policy.
The point is, you don't need NAT (that's exclusively ipv4), but you do need private addressing. That's the point I was responding to.
Yes, that's where the basic firewall configuration comes in.
I'm running native v6 at home, with no private addressing (Since it was never implemented right in OSs unfortunately), each system has it's own public IP address, and even an entirely unsecured device is protected since there's still a firewall between my network and the internet.
What's stopping you from accidentally port forwarding?
For that matter, sometimes ISPs route private addresses even though they aren't suppose to.