Reply to post:

OK, this time it's for real: The last available IPv4 address block has gone

Nanashi Bronze badge

You kinda are an idiot to use NAT when it's not necessary. If you use it when you don't need it, the only thing it does for you is make your network harder to admin, and make your security harder to reason about. It makes sense if you're a masochist, I guess.

(By NAT I specifically mean iptables' "-j MASQUERADE" mode; the one that you apply to outbound connections only. There are various other targeted cases of address translation that can be handy, like NAT64/NAT46 or load balancers, but we're talking about the type of NAT that people use on their home connections here, right?)

Of course it is often necessary -- you need it if you aren't receiving enough IP addresses for your network from your upstream ISP. That is why you see it used everywhere for v4. It's because we're so short on IP addresses that you're lucky if you can even get one single v4 IP for your entire network.

As a side note, you're going to need to deploy v6 on your local network and not just on the WAN side of your router, because there's no way to fit v6 addresses into v4 packet headers. Your LAN machines will have no way of reaching v6 hosts without v6 on the LAN. This is just an unavoidable consequence of the way v4 works, and the only way to fix it is to deploy a new protocol. (Or you could use a proxy, but nobody wants to use proxies.)

> NAT is a "sensible default" applied to the technology that happens to translate to a "block all incoming" as the final rule by the way it works

Woah, woah, woah... where did you get this idea from? NAT doesn't block any connections. Literally the only thing this type of NAT does is change the apparent source address of outgoing connections. It doesn't do anything to inbound connections.

Okay, I know the answer to this one: it's because you normally use NAT together with RFC1918, and using RFC1918 does make it difficult for most, if not all, of the internet to connect to you. But the NAT part of that does nothing to inbound connections. This is the "makes your security harder to reason about" that I mentioned above: it's causing a misunderstanding here that could potentially be dangerous if you try to rely on it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020