• @[email protected]
    link
    fedilink
    English
    15 months ago

    Because, as I said:

    layer 7 firewalls for the network which are going to be where most the majority of attacks are concentrated.

    The NAT doesn’t have to operate at layer 7 to be effective for this because

    coincidentally it is doing the heavy lifting for home network security because it is dropping packets from connections originating from outside the network, barring of course, forwarded ports and DMZ hosts because the router has no idea where to route them.

    The point is that the SPI firewalls are not protecting against the majority of the attacks we’ve seen for decades now from botnets and other arbitrary sources of attacks, except, perhaps targeted DDoSing which isn’t the big problems for most home networks. They must worry about having their OS’ and software exploited and owned in the background, which doesn’t get much of an assist from a router’s firewall.

    Obviously, this is however true for the NAT since the NAT are going to drop connections originating from outside the network attempting to communicate with that software to exploit it

    barring of course, forwarded ports and DMZ hosts because the router has no idea where to route them.

    • @[email protected]
      link
      fedilink
      1
      edit-2
      5 months ago

      How is this “dropping packets” not applicable to firewalls, then? You are not just going to casually connect to my IPv6 device as we’re speaking. The default-deny firewall in my router does the heavy lifting… just like what NAT did.

      Honestly, it just sounds like you need to brush up on networking knowledge. Repeat after me: NAT is not security.

      • @[email protected]
        link
        fedilink
        English
        1
        edit-2
        5 months ago

        Are you saying that everyone’s router’s firewall drops all packets from connections that originate from outside of their network?

          • @[email protected]
            link
            fedilink
            English
            15 months ago

            So, really, you were “correcting” me for you and your specific setup at the very beginning because your router’s firewall has a deny rule for all inbound connections because I must have been confusing what a NAT and what a firewall is because I must have been talking about your specific configuration on your specific devices.

            Holy. Fucking. Shit.

            • @[email protected]
              link
              fedilink
              1
              edit-2
              5 months ago

              Oh come on, are you seriously suggesting that default-deny stateful firewall is not the norm??

              Holy. Fucking. Shit. Indeed.

              You keep on suggesting to me that you really have no idea how networking works. (Which is par on course for people thinking NAT == security, but I digress)

              Let me tell you: All. Modern. Routers. include a stateful firewall. If it supports NAT, it must support stateful firewalling. To Linux at least, NAT is just a special kind of firewall rule called masquerade. Disregarding routers, even your computer whether Linux (netfilter) or Windows (Windows Firewall) comes built-in with a stateful firewall.

              • @[email protected]
                link
                fedilink
                English
                15 months ago

                Having a NAT on a consumer router is indeed the norm. I don’t even see how you could say it is not.

                I never said NAT = security. As a matter of fact, I even said

                It was not designed for security but coincidentally blah blah

                But hey, strawmanning didn’t stop your original comment to me either, so why stop there?

                Let me tell you: All. Modern. Routers. include a stateful firewall.

                I never even implied the opposite.

                To Linux at least, NAT is just a special kind of firewall rule called masquerade.

                Right, because masquerade is NAT…specifically Source NAT.

                I’m just going to go ahead an unsubscribe from this conversation.

                • @[email protected]
                  link
                  fedilink
                  15 months ago

                  Were I really strawmanning you? Is “I never even implied the opposite” really true? Quote:

                  So, really, you were “correcting” me for you and your specific setup

                  Yeah, my “specific setup”… which can be found in virtually all routers today.