Can we agree NAT is NOT a Firewall first?
On Jun 18, 2026, at 1:45 PM, William Herrin via NANOG <nanog@lists.nanog.org> wrote:
On Thu, Jun 18, 2026 at 10:02 AM Gary Sparkes <gary@kisaracorporation.com> wrote:
I mean, it's precisely why technology like STUN/TURN/ICE exist. As to your ask, with two firewalls, inbound default deny, accept related/established only (So, standard SMB/residential CPE setup), and one having NAT and the other not having NAT, I can.....
Drop a box (raspberry pi, for example) inside the network and VPN into it without having to establish a reverse tunnel first.
I'm sorry, Gary, you're going to establish a VPN to the Pi behind the NAT _without_ the Pi initiating outbound packets and establsihing connection state in the 1:many NAT firewall first? I don't think so. You're going to at least send a set of packets from the Pi to establish state in the NAT firewall. That's how STUN works. TURN flat out defies your conditions: it fully establishes the connection for a reverse tunnel via the external TURN server.
And that same set of packets establishes the same state in the non-NAT firewall. You haven't demonstrated your claim that the NAT version is -more- vulnerable to the attack.
Meanwhile, I don't claim that the NAT firewall makes a network less vulnerable to this sort of physical infiltration. Merely that there are other common attacks to which it is less vulnerable, even when misconfigured.
Regards, Bill Herrin
-- For hire. https://bill.herrin.us/resume/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/V7CEX3NO...