On Thu, Jun 18, 2026 at 12:55 PM Arie Vayner <ariev@vayner.net> wrote:
Unless I'm missing something, the pwnat mechanism will actually work through any stateful packet inspection (be it NAT or just a firewall) that allows Traceroute to work.
Hi Arie, You're not missing anything. It's a novel mechanism for escalating a beachhead, but Gary hasn't explained why it wouldn't work just as well with any other firewall that allows internal machines to initiate outbound connections by default. Everybody needs ICMP destination unreachable messages from arbitrary sources to reach back to the origin. Path MTU discovery fails if they do not. With any kind of firewall. ICMP Time exceeded is not as crucial but traceroute breaks without it so most firewalls propagate it inward too. Interesting as it is, the thought experiment fails to support Gary's claim that NAT specifically makes a network vulnerable. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/