William Herrin (bill) writes:
If your machine is addressed with a globally routable IP, a trivial failure of your security apparatus leaves your machine addressable from any other host in the entire world which wishes to send it packets. In the parlance, it tends to "fail open." Machines using RFC1918 or RFC4193 space often have the opposite property: a failure of the security apparatus is prone to leave them unable to interact with the rest of the world at all. They tend to "fail closed."
Think of this way: Your firewall is a deadbolt and RFC1918 is the lock on the doorknob. The knob lock doesn't stop anyone from entering an unlatched window, opening the door from the inside and walking out with all your stuff. Yet when you forget to throw the deadbolt, it does stop an intruder from simply turning the knob and wandering in.
That's not exactly correct. NAT doesn't imply firewalling/filtering. To illustrate this to customers, I've mounted attacks/scans on hosts behind NAT devices, from the interconnect network immediately outside: if you can point a route with the ext ip of the NAT device as the next hop, it usually just forwards the packets... Phil