Re: IPv4 flag day

[William Herrin via NANOG <nanog () lists nanog org>]

> From: William Herrin via NANOG
> Hate on it all you want, 1:many NAT renders my internal network not just inaccessible from the Internet but 
> inaddressible as well.

On Thu, Jun 18, 2026 at 6:31 AM Gary Sparkes <gary () kisaracorporation com> wrote:
> I can't imagine any case in where the ability to arbitrarily punch through your firewall (as an attacker) once I have 
> any kind of foothold is a good feature.

Gary,

With due respect, the issue you raise is not a characteristic specific
to NAT-based firewalls. Whether you allow outbound traffic by default
is a separate matter from whether you use a NAT with your firewall or
another technique. With the exception of the rarely used application
proxy firewalls, all can be programmed to allow outbound by default
and all can be programmed to deny outbound except as whitelisted. They
are equivalent on the question.

I usually choose to allow it because security is a tradeoff with
utility and disallowing outbound without pre-approval usually has a
more expensive loss of utility than the risks it mitigates. I have the
same choice to make regardless of whether I've employed NAT on that
subnet.

Regards,
Bill Herrin




-- 
For hire. https://bill.herrin.us/resume/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/WMS3ZYHAJDAPKOVS5OVPZUPXVXOBXGPE/