From: William Herrin via NANOG Hate on it all you want, 1:many NAT renders my internal network not just inaccessible from the Internet but inaddressible as well.
On Thu, Jun 18, 2026 at 6:31 AM Gary Sparkes <gary@kisaracorporation.com> wrote:
I can't imagine any case in where the ability to arbitrarily punch through your firewall (as an attacker) once I have any kind of foothold is a good feature.
Gary, With due respect, the issue you raise is not a characteristic specific to NAT-based firewalls. Whether you allow outbound traffic by default is a separate matter from whether you use a NAT with your firewall or another technique. With the exception of the rarely used application proxy firewalls, all can be programmed to allow outbound by default and all can be programmed to deny outbound except as whitelisted. They are equivalent on the question. I usually choose to allow it because security is a tradeoff with utility and disallowing outbound without pre-approval usually has a more expensive loss of utility than the risks it mitigates. I have the same choice to make regardless of whether I've employed NAT on that subnet. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/