Code running in a browser isn't a concern? That foothold can be extremely minimal, non-persistent, and enable far greater attack/leveraging than otherwise available. But yes, this technique of allowing inbound traffic flows to bypass NAT is something that's somewhat common (STUN servers anyone?) to support NAT legitimately, so it's hard to keep out of the mix. As I've noted in previous parts of this discussion, this is an example of the kind of NAT support network code I've ripped out of applications I maintain. So in 1:many NAT scenarios, it's no longer plug-and-play. But it's far simpler and easier to maintain. -----Original Message----- From: William Herrin <bill@herrin.us> Sent: Thursday, June 18, 2026 10:43 AM To: Gary Sparkes <gary@kisaracorporation.com> Cc: North American Network Operators Group <nanog@lists.nanog.org> Subject: Re: IPv4 flag day On Thu, Jun 18, 2026 at 7:23 AM Gary Sparkes <gary@kisaracorporation.com> wrote:
My reference was to opening inbound traffic avenues, not outbound.
Then I don't know what you're talking about. Once you have a foothold inside the network, you're past the firewall and the benefits it gave you. Regardless of whether you used NAT. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/