Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?

  • MangoPenguin@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    8 months ago

    For incoming traffic on IPv4 only, NAT technically is fine. But it won’t block any outgoing traffic, and IPv6 doesn’t use NAT at all.

    • drkt@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      IPv6 can use NAT; there are some unfortunate souls out there whom are only getting a /128 (one address, basically) by their ISP, instead of a /64 or /48

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      8 months ago

      and IPv6 doesn’t use NAT at all.

      Not entirely true! It uses a type of NAT to translate IPv4 addresses into comparable IPv6 addresses.

      • IAm_A_Complete_Idiot@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        For context for other readers: this is referring to NAT64. NAT64 maps the entire IPv4 address space to an IPv6 subnet (typically 64:ff9b). The router (which has an IPv4 address) drops the IPv6 prefix and does a normal IPv4 NAT from there. After that, you forward back the response over v6.

        This lets IPv6 hosts reach the IPv4 internet, and let you run v6 only internally (unlike dual stack which requires all hosts having v6 and v4).