On Sat, Nov 20, 2021 at 7:16 PM Owen DeLong via NANOG <nanog@nanog.org> wrote: > This is a common fallacy… The real concept here isn’t “universal > reachability”, but universal transparent addressing. Policy then decides > about reachability. > > Think stateful firewall without NAT. > > If you want to allow the incoming connection, you simply permit it rather > than having to set up some sort of convoluted port forward. > > You can allow open access to a hardened host entirely, or you can open > specific ports. > > What you don’t have to do is carefully map a limited number of external ports > to each be forwarded to a particular port on a particular > internal destination host because you aren’t recycling the one and only > public address that all the incoming packets have to first land > on, each host has its own address that you can simply enable. > > So again, how is port forwarding better than this? (it isn’t).
Hi Owen, This has been hashed and rehashed on this group about a gajillion times but for the sake of those who are new: Firewalls are programmed by people. People make mistakes. Lots of mistakes. 1:1 stateful firewalls and 1:many stateful firewalls (NAT) behave differently in the face of those mistakes. When 1:1 stateful firewalls are mistakenly told to pass all traffic they faithfully do so exposing unhardened hosts directly to the Internet. When 1:many stateful firewalls (NAT) are mistakenly told to pass all traffic they can't do so. They don't have enough information to decide which interior host to send a packet to so they simply break. One fails as a security perimeter breach. The other fails as a system down. Pick which security posture you prefer but they're very much not the same. A knocked over fence versus a lost padlock key and well into the zombie apocalypse. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/