Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 10:47:10PM -0500 Quoting Joe Maimon (jmaimon@jmaimon.com):
layer in front of these classes of devices or that they will be deployed|developed with sufficient/equivalent security without that layer is not nearly as re-assuring.
The inside/outside paradigm inherent in the reasoning of "NAT is a good, big part of my firewall" crowd is woefully inadequate to describe and counter the threats of today. The techniques to get past uni-reachability (The NATted client can ask the net, but not in reverse) are many and advanced. Since there is a somewhat inflated belief of the efficiency of the unroutability paradigm, once inside, the rules tend to be relaxed. It might very well be so that the resultant protection level will be better once you realise you can't trust the net to not deliver packets to you. Also, I much prefer writing firewall rules where the IP addresses don't change in-flight. Less to screw up. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 Of course, you UNDERSTAND about the PLAIDS in the SPIN CYCLE --