One of the startups I worked for did business with Ford. We needed info about their networks to get them connected to our service in AWS, and in the process we learned that they still use public IPs for everything. Every workstation, server, router, etc. connected to the internet from a public IP, no NAT and only protected by extremely complicated firewall rules. Their IT team must be in constant distress, or super defensive about their architecture haha
this post was submitted on 14 Dec 2025
260 points (98.9% liked)
Today I Learned
26210 readers
627 users here now
What did you learn today? Share it with us!
We learn something new every day. This is a community dedicated to informing each other and helping to spread knowledge.
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
Rules (interactive)
Rule 1- All posts must begin with TIL. Linking to a source of info is optional, but highly recommended as it helps to spark discussion.
** Posts must be about an actual fact that you have learned, but it doesn't matter if you learned it today. See Rule 6 for all exceptions.**
Rule 2- Your post subject cannot be illegal or NSFW material.
Your post subject cannot be illegal or NSFW material. You will be warned first, banned second.
Rule 3- Do not seek mental, medical and professional help here.
Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.
Rule 4- No self promotion or upvote-farming of any kind.
That's it.
Rule 5- No baiting or sealioning or promoting an agenda.
Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.
Rule 6- Regarding non-TIL posts.
Provided it is about the community itself, you may post non-TIL posts using the [META] tag on your post title.
Rule 7- You can't harass or disturb other members.
If you vocally harass or discriminate against any individual member, you will be removed.
Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.
For further explanation, clarification and feedback about this rule, you may follow this link.
Rule 8- All comments should try to stay relevant to their parent content.
Rule 9- Reposts from other platforms are not allowed.
Let everyone have their own content.
Rule 10- Majority of bots aren't allowed to participate here.
Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.
Partnered Communities
You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.
Community Moderation
For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.
founded 2 years ago
MODERATORS
If you have enough IPs then not using NAT makes everything less complicated without any downside to security. If you think otherwise then IPv6 is going to cause you some problems.
NAT isn’t “security” in the cryptographic sense, but saying “no NAT has no downside to security” ignores what NAT + private addressing is used for: a hard boundary that prevents a whole class of accidental exposure.
Easy examples:
Home network analogy: Your laptop has a private IP (192.168.x.x). People on the internet can’t just connect to it unless you explicitly port-forward. If your router’s firewall rule is messy or you temporarily enable a service, that laptop still isn’t automatically internet-reachable. With public IPs on every device, a single bad rule can put that laptop directly on the internet.
Someone enables RDP/SSH “just to test something"? Behind NAT, it’s usually still not reachable inbound unless you publish it. With public addressing everywhere, one mis-scoped firewall rule (or host firewall disabled) can instantly make it reachable from anywhere.
With NAT, “what’s internet-facing?” is basically “what did we intentionally publish on the edge” (load balancer, reverse proxy, VPN gateway). With public IPs on every endpoint, “what’s internet-facing?” becomes “prove the firewall posture for thousands of hosts and ports,” which is harder and riskier at scale.
You’re right that IPv6 removes the address shortage reason for NAT. But IPv6 does not mean “everything must be publicly reachable.” The IPv6 equivalent of “internal-only” is using ULA (fc00::/7) for internal addressing, and/or using globally routable IPv6 but keeping a default-deny inbound firewall and publishing only through controlled ingress (reverse proxy, load balancer, VPN/Zero Trust).
So the point isn’t “NAT = security.” The point is: NAT + private addressing is a very effective exposure control and mistake-buffer. You can replicate the security model without NAT (especially in IPv6), but you do it with addressing design + strict firewalling + controlled ingres, not by claiming there’s no downside.
You don't want every device on your network publicly addressable, it's going to cause you some problems.
That's not how that works
NAT is not a firewall. If you don't have a Firewall in place bad things will happen.
For IPv6 you just set your Firewall to deny all and then add exceptions as needed. That is the default pretty much everywhere.
I never suggested NAT is a firewall.
Your firewall is typically the device doing the NAT (or directly on the router if you're a home user and don't have a dedicated hardware firewall). Your firewall/router sits on the edge, exposed with a public IP.
If you desire to expose your laptop, for example, you setup an ingress rule that translates to the laptops local address, and your firewall/router translates all traffic matching the rule and sends it to the laptop.
I'm not sure which part you're not clear on.
load more comments
(6 replies)
What's not how what works? What about the other poster's comment is inaccurate?
load more comments
(9 replies)
Lots of text here but a firewall with inbound deny default rule is considerably easier to manage than port and ip address translation. It’s also possible to get unexpected inbound traffic with NAT. It’s how Tailscale works for example. Sounds like a security failure to me.
Just wait until the day ipv6 is finally adopted readily and we’ll have this same argument about whether IPv6 addresses are a security feature when a /64 is too big a range to scan
hard boundary that prevents a whole class of accidental exposure.
Yeah, that’s a firewall. I fucking hate hearing about how NAT is more “secure” than public IPs. It's not. It’s not a fucking security feature and should not be treated as one or relied upon implicitly or in any way at all. This is the kind of shit that slows down IPv6 adoption because it’s “less secure”
JFC if you’re relying on NAT for security then you’re doing it wrong. Period.
Security wasn't the main concern in this particular case, the headache came from the fact that they were working in IP classes, and we were working in CIDRs (EC2 security groups, for example)
NAT is not a security feature
What it does do is make everything more complicated
load more comments
(3 replies)
Whoa... That's incredibly stupid.
I hosted the CISO dinner at Auto-ISAC a few years ago. Very calm and collected group who know they're on the precipice of Armageddon at all times.
GM dude was particularly kind. All but harassed me until I promised to change my travel habits and take red-eyes bc to optimize the amount of minutes with family is p0. Stuck with me.
…connected to the internet from a public IP, no NAT and only protected by extremely complicated firewall rules. Their IT team must be in constant distress, or super defensive about their architecture haha
Why they will be protected like everyone else. With the same default rule like every other company.
I think it more odd that they haven’t sold it for a lot of money.
Same for mercedes (and now Daimler truck)
I see now why we were predicted to run out of IPv4 addresses, and also why we don't appear to have actually run out of them yet.
Although why they still have such massive ranges of IPs is crazy.
Well we kind of ran out. But carriers just did more natting to reduce residential customers to client only, or have real ipv6 addresses
That's legacy addressing for you
There is a reason IPv6 is a thing
It's been a legacy for 15 years. Ipv4 is with us forever
My fucking ISP still doesn't let me use ipv6
I've been in IT since 1997. Back in the old times, network blocks were like free. I've worked for several places with full /8 public CIDRs - One employer didn't even NAT the addresses and every PC and server on our network had a public IP address. Firewalls were in place so the IPs weren't public in the traditional sense, but it was always fun explaining to some new hire why our IP addresses didn't look like they expected.
That's when I started my career, '98 for me. I was installing cable internet and DSL when those were new. Everyone just jacked straight into the internet, straight into the wall, butt naked! I was telling all my customers to download ZoneAlarm. :)
Everyone just jacked straight into the internet, straight into the wall, butt naked!
That explains all the semen on the Internet in the 90’s; jacking it butt naked straight into the internet will have that effect.
Just, why? ...
Domain squatting is bad!
/s
Money. Pure and simple.
I bet it's an artifact from beginning of IP and they were given a huge chunk.
There is nothing legally we can about it. I suspect if they were smaller and less monied we could
Absolutely however think of the alternatives. Private individual? Nope. Educational institute? Better hand those over. Corporation? Keep em!
I worked for a small insurance company owned by a slightly larger organization. That organization had a class B address space. They gave us 4 class C's from that class B, or about 1000 addresses in the 1990's for a company with 50 employees.
My university had an entire /8 block and no real centralized IT. A number of departments ran NAT internally but the default was that every computer was assigned a public IP. This included connecting a laptop to the network in the library or in a dorm room. At some point they did require associating your MAC with a student or staff ID in order to acquire an IP.
There was also a pretty robust collection of drives shared on the network. Some were intentional and slightly nefarious, some were accidental and the people didn't even realize they were sharing.
This was over 25 years ago.
Back in my day, that was the assumption: every device would get its own public IP. Now get off my lawn
view more: next ›