
On Sat, Nov 20, 2021 at 7:16 PM Owen DeLong via NANOG <nanog@nanog.org> wrote:
This is a common fallacy… The real concept here isn’t “universal reachability”, but universal transparent addressing. Policy then decides about reachability.
Think stateful firewall without NAT.
If you want to allow the incoming connection, you simply permit it rather than having to set up some sort of convoluted port forward.
You can allow open access to a hardened host entirely, or you can open specific ports.
What you don’t have to do is carefully map a limited number of external ports to each be forwarded to a particular port on a particular internal destination host because you aren’t recycling the one and only public address that all the incoming packets have to first land on, each host has its own address that you can simply enable.
So again, how is port forwarding better than this? (it isn’t).
Hi Owen, This has been hashed and rehashed on this group about a gajillion times but for the sake of those who are new: Firewalls are programmed by people. People make mistakes. Lots of mistakes. 1:1 stateful firewalls and 1:many stateful firewalls (NAT) behave differently in the face of those mistakes. When 1:1 stateful firewalls are mistakenly told to pass all traffic they faithfully do so exposing unhardened hosts directly to the Internet. When 1:many stateful firewalls (NAT) are mistakenly told to pass all traffic they can't do so. They don't have enough information to decide which interior host to send a packet to so they simply break. One fails as a security perimeter breach. The other fails as a system down. Pick which security posture you prefer but they're very much not the same. A knocked over fence versus a lost padlock key and well into the zombie apocalypse. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/