On Fri, Feb 16, 2024 at 6:10 PM Ryan Hamel <ryan@rkhtech.org> wrote:
Depending on where that rule is placed within your ACL, yes that can happen with *ANY* address family.
Hi Ryan, Correct. The examples illustrated a difference between a firewall implementing address-overloaded NAT and a firewall implementing everything except the address translation. Either example could be converted to the other address family and it would work the same way.
All things aside, I agree with Dan that NAT was never ever designed to be a security tool. It is used because of the scarcity of public address space, and it provides a "defense" depending on how it is implemented, with minimal effort. This video tells the story of NAT and the Cisco PIX, straight from the creators https://youtu.be/GLrfqtf4txw
NAT's story, the modern version of NAT when we talk about IPv4 firewalls, started in the early '90s with the Gauntlet firewall. It was described as a transparent application layer gateway. Gauntlet focused on solving enterprise security issues. Gauntlet's technology converged with what was then 1:1 NAT to produce the address-overloaded NAT like what later appeared in the Cisco PIX (also first and foremost a security product) and is present in all our DSL and cable modems today. Security came first, then someone noticed it'd be useful for address conservation too. Gauntlet's customers generally had or could readily get a supply of public IP addresses. Indeed, when Gauntlet was released, IP addresses were still available from hostmaster@internic.net at zero cost and without any significant documentation. And Gauntlet was expensive: folks who couldn't easily obtain public IP addresses also couldn't afford it. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/