NAT Is Not A Firewall
HTML-код
- Опубликовано: 6 окт 2024
- A lot of people seem to think that NAT is a form of firewall. It's not. You can have NAT running and still have packets going through your router. The firewall is done by the filtering, which I show in this video.
Наука
![Chicken P - People's Favorite (Remix) [Feat. 42 Dugg] (Official Video)](http://i.ytimg.com/vi/a6Bn8FEtxmY/mqdefault.jpg)
Err, this is misleading.
Yes, NAT is not a firewall (much like RAID is not backup...) But your demonstration assumes that the public webserver has routability to the private/internal host; which in the real world simply isn't true. Remove the 10.0.0.0/24 route from the webserver (back via your "router") and try again...
While this is true, it does not change that indeed, NAT is not a firewall. The lack of knowledge on how to route back does not equate to blocking the traffic.
@@GrishTech but the lack of an entry in the routers NAT table does. The video is utterly misleading. NAT (PNAT like on consumer routers) drops any incoming packet that's not a reply of an outbound connection. It acts like a perfectly secure firewall in the eyes of a normal customer.
Nat is not a firewall. that i agree to. But nat serves a purpose for home users that is firewall alike. That is to filter all noise on the internet. Bots, scanners and other automated malicious traffic alike. No device on the internet can initiate traffic to your desktop device that is on a private address space unless there is some form of dnat.
I think the missconseption that "nating is firewalling" is because of CGNAT and the fact that a lot of ISP provide an AIO box that does nat, firewall, a bit of routing (lan to wan // wan to lan), a wireless accesspoint and sometime an SIP box for phone line ...
That certainly hasn't helped, but it predates that. I remember discussions on Slashdot 20 years ago, when I was first getting up to speed with IPv6, the main criticism was all devices would be "on the Internet" instead of safely behind a single IP. Of course, it was as much nonsense then as it is now.
What possibly really didn't help, but I did appreciate the intention, was Microsoft using Teredo by default in Vista with symmetric NAT traversal. They had a big push for IPv6 early on, but I believe it probably backfired more than anything and made people fearful of the technology.
On most home networks the NAT router does isolate listening ports on LAN machines from connections originating from the WAN. You can argue about definitions all day but that single function, while not perfect, offers at least some protection to the user.
So does IPv6 mate. The firewall is not "open" by default.
Throughout my 30 years in the IT industry I have never heard of NAT being referred to as a Firewall. Perhaps I have been living in a bubble but still don't understand how anyone could confuse NAT and Firewall. Their roles are well defined.
You only have to read some of these comments to see how people view NAT.
@@TallPaulTech Yep. InfoSec people (and I am one of those with 22 years experience here) go to great pains to stop people assuming that NAT provides security that it doesn't.
To be fair though, Firewalls themselves don't really provide much security either because most "attacks" are outbound using reverse shells. You'll be getting compromised via malware that is downloaded somehow from visiting a malicious website, etc. That malware will then make an outbound connection to its command and control systems, which all home firewalls will allow.
What you demonstrate is quite true. But to mount an attack on my LAN, you'd have to pretty much be on the same segment. Where I am, it's a /24. So that's only around 250 computers which could to be "taught" that in order to get to 192.168.1.0/24, the next hop is my WAN address. The attack surface is pretty niche, although we would certainly want to defend against if it if we can. The ISP's router is certainly not going to "know" how to get to my 192.168.1.0/24, so for the vast majority of the Internet, it's sort of like a firewall. I would certainly like to see if maybe that's exploitable somehow by someone not on my local subnet, although I'm doubting it.
In this test web server know the private ip address of pc and some kind of a routing possibility to reach it. Most cases it is not possible. Because private address cant routable through internet. But this issue happens some kind of direct connection for 2 company
Thanks for this. I was really confused how the supposed "WAN device"/server was able to address using the private IP supposedly only used within the confines of its corresponding private network. Though I wonder how it were possible as well? Was it because the router already knows the device due being that the device has been already "listed" on its NAT list?
That's right man. You tell 'em.
Unless you have a rackmount box that says Cisco on the front, your network is totally wide open and vulnerable.
This video is misleading. NATing is not a firewall and most competent techs will not claim so, but it is a form of security. In fact, it's the best form of security because it's DEFAULT DENY security. In the early days of the internet worms were prevalent. Nimda and Code Red nearly destroyed the internet because listening ports were wide open to the internet. That is because routable IPs were assigned directly to computers and IP scanning and port scanning were rampant. NAT made these a thing of the past as port listening was blocked by DEFAULT. We had firewalls back then too, but no one used them and those that did had poorly configured them. That is because most people take a methodology of ALLOWING everything and BLOCKING only the stuff that's harmful. NAT blocks ALL incoming connections UNLESS there someone has intentional forwarded a port. NATs default to blocking all unsolicited incoming connections by DEFAULT and a competent person must setup port forwarding to bypass this restriction. Firewalls on the other hand can use any methodologies (including many bad methodologies). Firewalls need to be managed by a security conscience person. IPv6 looks to get rid of the DEFAULT security posture offered by NATing. This is supremely stupid until such time that IPv6 routers COME WITH a firewall built-in using a DEFAULT DENY configuration. IPv6 exposes us to the same risks that we saw in the 00's with NIMDA and Code Red and threatened the existence of the internet.
All IPv6 Firewalls are also default deny; NAT has nothing to do with it. The example shown here at 13:37 needs clarification on what IPv6 router his friend was using and if confirmed this device is not default deny then nobody should be buying those.
nat was invented to cope with ipv4 shortage. firewall and security was there before nat. nat make the internet to become restrictnet
Very informative thank you very much, I was looking for this information and had a hard time finding a proper explanation
I think this is more down to the idea that obscurity is security. Prob need to get used to the idea that when IPv6 is more wide scale this will be more of a thing.
Correct but it’s Clayton’s firewall and for some near enough is good enough.
But why you started with the impression that people think NAT is a firewall ? I mean the name itself doesn't have anything related to network protection; Network Address Translation its mapping an IP address into another by modifying network address information. In fact this is a hack that we have to do only because we don't have enough IP addresses for all devices that need internet connection, otherwise, with enough available IP, NAT was not needed at all, but we still needed firewall rules to secure ours devices.
Personally, I like knowing that there are several million 192.168.0.2's out there. Security by obscurity is not secure, but every extra layer helps.
I really love your videos, they're simple enough for a beginner to follow along, but have some very complex parts as well. I'd love to see some content on the difference between Access Rules vs port forwards. Also, some content on "stacking" home routers (not sure what the proper term is). Basically, I have my internet facing router where the WAN port is plugged into my ISP. Then, I have a subset of devices that I don't want to see that network, so I plug another router in, but it's WAN port goes to a LAN port on my internet facing router. Basically, the internet facing router becomes the ISP for my second router. Keeping the devices on my second isolated from devices on the first network, or choosing to allow them to only see certain devices on the "first" network is where I need help. Maybe I want them to see a web server or and IOT server on the first network.
Thanks for the video!
2+2=4
Yes... But, as you say, the internet doesn't route private IP addresses. If you try to ping 10.0.0.5 from a real server on the internet you get exactly nowhere. A firewall is important but definitely more important if you route native ipv6 addresses in your LAN
I used to run a proper PC with multiple NICs as a router / firewall, the best thing it did was intrusion detection, especially since I ran a web server with a forum, so it was very useful catching suspicious activity while still allowing access.
I like that idea
I think you would really like mikrotik devices.
They are a great tool for people to force them to learn how firewalls are actually working. There's no hiding behind these home router web GUIs and ending up with a poor understanding of Firewalls and NAT in general.
Super cool video. I found this really informative
One reason why it works as a "firewall" is because you cannot send packets with a destination of a private IP over the internet.
you need slightly more elements in place for it to work as intended. Once you factor in the dropping of those packets, you will see that it does indeed act as a firewall, dropping all packets unless the session was originated from the client.
not a NGFW mind you, but at the lowest level, does offer a little protection against someone trying to use something like nmap and find IPs and or open ports.
*edit*
in order for this to work like you show in the video (or at least close to it) you would have to setup destination NAT (or save time by setting up a site-to-site vpn like ipsec/gre).
Just Google search NAT firewall. Basically NAT monitors the traffic, otherwise you could just easily guess someone's Private IP address. If your Private IP didn't request it, it's not getting translated. It was not invented as a security measure but "acts like a firewall."
It's a feature of a firewall.
Where does the diagram that you use come from?
very well explained.
YES IT IS!!! - The marketing team.... :P
That's piss funny
...And your home router is not really a router as well, running NAT on a router is kinda difficult as well..... Most home routers are just firewalls and access points.
most "home routers" are routers combined with a switch and a wireless BSS.
these all in one devices generally setup NAT with upnp enabled to dynamically open ports as required by clients.
the problem with these devices is that because they are all in one, they are generally cheaper/limited than their dedicated counterparts. More advanced features such as packet inspection, site-to-site ipsec vpn and destination nat will not be there since it's practically never needed for a home setup.
software based routers/firewalls also offer more features such as TLS packet inspection, but that is a whole different level of pain to setup correctly.
Eh, sort of. NAT segments networks into two broadcast domains (and in some circumstances multiple collision domains). In order to traverse to another collision domain, you have to have a routing or mapping protocol (like NAT). The ONLY key difference that makes NAT not a firewall is that by strict definition a firewall blocks traffic that is routed somewhere, but if there's no route defined the network just doesn't know where to forward that traffic and the packet is dropped.
Hello Paul, you have the raspberry pi as your router at home. Can it control the AP around your house too? Or you have a special controller for your AP's?
Just use ipv6 bridge firewall and deny incoming by default. It's cheaper and protect every devices behind the router. Ipv6 is safer than user accidentally install malware on their devices.
Wait, so what your saying is most consumer routers don't have a firewall on for IPv6? I know NAT is not a form of security, NAT is clearly not a firewall, but the firewall on most consumer routers should be blocking inbound traffic by default, right?
It should yes. I've asked Paul in another comment what brand of router this is. A stateful IPv6 firewall that by default only allows outbound traffic should be the norm. It's been the default for every router I've seen in the last few years.
Without an inbound static - they absolutely will drop the traffic... Normally. BUT there are many protocols the router is running, and the software quality is generally poor. So you are left open and in the clear if you just rely on NAT.
@@tcpnetworks Perhaps that's really what the topic should be then - the atrocious quality of the software on devices that may support IPv6.
@@KaldekBoch But here, explained so damned well, is the purest form of why NAT is NOT. Don't discount the approach being taken - it's solid...
Hi! I'm just commenting on this older video of yours because I saw your reply to a thread I replied to on your 1 day old video about IPv6 and wasn't sure if you were replying to me or just the thread in general (your reply didn't have an @username so I couldn't tell who it was directed to, but I followed the link you posted in your comment that seemed like it was directed to me). But I want to clarify, that my somewhat admittedly scathing comment wasn't against you yourself, you clearly seem to be a more serious engineer, as it was directed mostly to the other seemingly ignorant or misinformed commenters.
I should also clarify that I am not a Network Engineer, but rather a Systems Engineer, but I do know quite a bit about networking because servers that are not on a network, aren't exactly useful 😅
In any case I wanted to thank you for making this video, as I appreciate those of us who understand that NAT is not a firewall, and I have to also admit, that I even learned some things from your video I had no idea about! While I have quite a bit of experience with iptables on Linux and pf on OpenBSD, I have yet to teach myself nft as I've not needed to learn it since most enterprises I've worked in still used older RHEL based distros that don't yet have nft and other newer distros use firewalld abstracting the backend away from me, but that's not a valid excuse. You also finally explained why I was perplexed every time a firewall ruleset was reloaded (in some Operating Systems) a constant ping would stop right away, and other times continue until stopped and restarted. Technically ICMP echo requests and echo replies are stateless and have no real connection to track. But I'm assuming that the firewall code in certain Operating Systems see successive ICMP echo requests as a related stream and associates a "virtual" state to it just as some fabricate a "state" to UDP packet streams on the same port and assign an arbitrary timeout since there is no actual FIN or RST packet for UDP streams. Never saw it that way until you said what you did in this video. I actually really appreciated that because I never figured that out on my own!
I hope you reconsider trying IPv6 as it is actually the future, and while I'm seeing you and at least one other person on RUclips make a video about going exclusively IPv6, I've never actually done that myself. I've always used Dual-stack mode first with a Tunnel from Hurricane Electric over IPv4 (since 2010) and then eventually natively with my home ISP using a bit of software I contributed to (barely) called Dibbler to get a prefix delegation to my internal LAN since about 2012.
Just as SSL is good practice, so are firewalls. I had a Yoggie once.
But in pfsense, NAT is sub menu of firewall menu. And i am using NAT to force all my lan interface's DNS to my local DNS.
It's a sub menu of the Firewall because all of these devices use IPTables/Netfilter as their Firewall engine (it's part of the Linux kernel). The way that NAT is done in Netfilter is a function of the firewall engine. It does not *mean* it is intended for security purposes.
@@KaldekBoch hmm! Thanks for your explanation, I understand now
What's there similarity between nat and firewall
Clearly I need a firewall. 🤣
13:37 - what device is your friend using as a router? All Netfilter based routers with IPv6 should still only be allowing traffic initiated from inside to outside via stateful firewall rules.
It's possible that the only thing being incorrectly allowed in was ICMPv6. That actually seems quite common. Some IPv6 test pages even incorrectly report that your IPv6 is not 100% correctly configured unless they can ping you! However you shouldn't need to let anything back except what counts as established and related in your filters. Established and related will allow all necessary ICMPv6, which doesn't include ping (echo request).
@@BrianG61UK I was going to suggest the same thing but later he says that his friend "set up a web server" on the device and it was reachable.
For my own sake, I do allow inbound ICMPv6. I'm not particularly concerned about it of course, because my devices all use privacy extensions.
@@KaldekBoch Privacy extensions only change the IPv6 address used for outgoing conenctions. It's likely that each device also has a non temporary (unchanging) pingable IPv6 address.
@@BrianG61UK It does, but that address is essentially unknowable. You can't scan an IPv6 "subnet" as the smallest possible subnet is 64 bits in size. That is a very, very large number. So, unless you advertise that "static" host address, or turn off privacy extensions, it's never used.
There are some tools out there that try to use statistical techniques to attempt to "scan" IPv6 networks for active IPv6 hosts but they are a real roll of the dice.
@@KaldekBoch But just one mistake, an exploit and a trojan and it's known and can receive commands in an icmpv6 from anywhere on the internet.
Maladaptive daydreaming gang be like
could you please do how to convert hex to binary?
ruclips.net/video/5jG3f4Lryf8/видео.html
I'm gonna have to go ahead and disagreed with you. using NAT inherently blocks all unsolicited inbound traffic (unless you specifically set up port forwarding). As long as you trust the devices inside your network this is all the "firewall" most people will ever need.
No it doesn't, UDP hole punching proves that it doesn't.
@@hex2307 notice I said "As long as you trust the devices inside your network" UDP holes are punched from the inside out.
You can say it obfuscates the internal addresses, but its not firewalling indeed. Private addresses are not globaly routed by default, most routers drop packages with private address origin, but they can be routed if the routers are enabled to do it. And if you connect directly to a Wan Port on a router, and no filters are in place, it will route in to the private address!
@@nortonsima you are right that it CAN route in IF configured to do so.... but thats the same as disabling a firewall and then saying it failed. I am talking about a situation where you have a service listening on a port on an internal IP address that should not be accessible from outside. With NAT it WILL NOT be accessible from outside unless someone takes steps to make it accessible (port forwarding, stream proxying, etc). Lets say an http request comes in to port 80 on the public IP of a typical NAT router, no matter how many machines on that internal network are accepting connections on TCP/80 the requests will not reach any of them unless someone specifically tells the router which internal IP to send the request to.
Stop thinking of netfilter architecture only in the context of a shitty home router/firewall. NAT is simply address translation. It exists on big enterprise routers for various reasons. It isn't the filtering part though, as I showed on the diagram. The world is bigger than your tplink thing.
Laughs in piracy
I've never heard once, someone say, "NAT is a firewall (or acts as one). " I guess I get what you're saying though and how it's possible the layman who buys a router from Bestbuy MIGHT think that, but the again, a layman buying a router from Bestbuy also doesn't know what NAT is
I think a layman would refer to that as port forwarding, at least in one direction..
Interesting! Actually you rely on your ISP to keep sending packets to your private addresses, so NAT seems like a firewall.
But in any other case your router will accept inbound packets from the internet to private addresses without blinking an eye.
One case could be when the ISP router also gets a route to your private addresses (normally it only has one route to your WAN address), eg by misconfiguration or vulnerability exploit.
The ISP doesn't see the private IPs at all. The router doing the masquerading changes the local IP and port to an external IP and port, then when a packet for that external IP and port arrive in unmasquerades it into the local IP and port again.
@@ziran80 yes, I was rather thinking of an unusually case where the ISP router is compromised/misconfigured.
Packets sent ”into the blind" from the ISP to private addresses would be able to reach any interior device if there are no firewall policies to block them.
But as you said, normally ISPs don't forward private addresses since they don't know them.
@Tall Paul Tech One big thing You iare forgetting is that most routers have assymetric NATing. Which means, unless an external port is opened (through TCP), it is impossible to reach the computer. Stop spreading wrong information.
Send a UDP packet somewhere and any router will open a path for a UDP packet to come back. It's not quite as bad as having UPnP enabled, but it's bad.
You are wrong, because all firewalls already do that regardless of NAT. It's called stateful firewall rules and has been in use since the mid 1990s.
NAT is a simple firewall, it good enough for most home user
sorry, NAT IS A FOREWALL
Not using NAT on an ipv6 network gives the content creator the ability to prosecute those silly DMCA, down to a person who owns that specific device.
Let's keep NAT alive 🥳
If you use use SLAAC and privacy extensions you can go a long way to hiding the identity of the individual device.
All operating systems support Privacy extensions which randomise the host address portion. Windows does this by default. Linux distros, it will depend on what their defaults are.