"NAT is a security boundary" sits on using RFC1918 addresses and "nobody can enter my network because there is no DNAT rules for it!".
If you know how the routing actually works on Ethernet networks then it should be pretty obviously, but if not: there is no magic there.
If you know what the packet is addressed to some network not in your routing list, then you just throw it the default router with dstaddr of the recipient and MAC address of the default gateway. There is no security or anything.
And the same applies to the traffic you receive on the external interface. Anything what would be received on the external interface would be forwarded to your local networks if dstaddr of the packet is in your local network range.
And there is two ways to throw some packets with dstaddr in RFC1918 to your external interface:
a) be on the wire of your external interface - you can't forward those packets over Internet, obviously
b) have DNAT what would rewrite the IP of your external interface in dstaddr to some internal IP
So having internal addressing according to RFC1918 on the LAN and therefore using NAT to access anything else - doesn't make your network secure.
Usually this is not a problem, but if you are thinking what NAT do makes your network secure then you have two problems: possibly an unsecure network and feeling what your network is secure.
> why would I also need a firewall rule covering the same port (assuming default is DENY)?
EDIT: Oh, how quaint, just downvoting without responding. Remember, downvotes are not for your opinion on the comment.
But while we are at it, two more options on having an external packet traverse to your local network:
c) have a host on the LAN initiate a connection to the Internet, which opens up a port on the external interface of the router. Sure, in 99.9999% you can't use that, because the statefull firewall would discard the incoming packets not from the host which a client communicates... Until the attacker is that host in the first place, ie malware or even a deliberate operation
I didn't vote at your comment at all, so don't blame me. However you'll get an upvote from me now.
I agree about (some to most) of your writing and it was very informative (and lengthy!) but I didn't find the time to write something back which would honor your response enough.
"NAT is a security boundary" sits on using RFC1918 addresses and "nobody can enter my network because there is no DNAT rules for it!".
If you know how the routing actually works on Ethernet networks then it should be pretty obviously, but if not: there is no magic there.
If you know what the packet is addressed to some network not in your routing list, then you just throw it the default router with dstaddr of the recipient and MAC address of the default gateway. There is no security or anything.
And the same applies to the traffic you receive on the external interface. Anything what would be received on the external interface would be forwarded to your local networks if dstaddr of the packet is in your local network range.
And there is two ways to throw some packets with dstaddr in RFC1918 to your external interface:
a) be on the wire of your external interface - you can't forward those packets over Internet, obviously
b) have DNAT what would rewrite the IP of your external interface in dstaddr to some internal IP
So having internal addressing according to RFC1918 on the LAN and therefore using NAT to access anything else - doesn't make your network secure.
Usually this is not a problem, but if you are thinking what NAT do makes your network secure then you have two problems: possibly an unsecure network and feeling what your network is secure.
> why would I also need a firewall rule covering the same port (assuming default is DENY)?
Assuming. There are people out there who can't even configure their firewall properly: https://news.ycombinator.com/item?id=38879470
EDIT: Oh, how quaint, just downvoting without responding. Remember, downvotes are not for your opinion on the comment.
But while we are at it, two more options on having an external packet traverse to your local network:
c) have a host on the LAN initiate a connection to the Internet, which opens up a port on the external interface of the router. Sure, in 99.9999% you can't use that, because the statefull firewall would discard the incoming packets not from the host which a client communicates... Until the attacker is that host in the first place, ie malware or even a deliberate operation
d) UPnP. 'Nuff said.