Re: IPv4 flag day

[sronan--- via NANOG <nanog () lists nanog org>]

Can we agree NAT is NOT a Firewall first?

> On Jun 18, 2026, at 1:45 PM, William Herrin via NANOG <nanog () lists nanog org> wrote:
>
> On Thu, Jun 18, 2026 at 10:02 AM Gary Sparkes
> <gary () kisaracorporation com> wrote:
> > I mean, it's precisely why technology like STUN/TURN/ICE exist.
> > As to your ask, with two firewalls, inbound default deny, accept related/established
> > only (So, standard SMB/residential CPE setup), and one having NAT and the other not having NAT, I can.....
> >
> > Drop a box (raspberry pi, for example) inside the network and VPN into it without having to establish a reverse 
> > tunnel first.
>
> I'm sorry, Gary, you're going to establish a VPN to the Pi behind the
> NAT _without_ the Pi initiating outbound packets and establsihing
> connection state in the 1:many NAT firewall first? I don't think so.
> You're going to at least send a set of packets from the Pi to
> establish state in the NAT firewall. That's how STUN works. TURN flat
> out defies your conditions: it fully establishes the connection for a
> reverse tunnel via the external TURN server.
>
> And that same set of packets establishes the same state in the non-NAT
> firewall. You haven't demonstrated your claim that the NAT version is
> -more- vulnerable to the attack.
>
> Meanwhile, I don't claim that the NAT firewall makes a network less
> vulnerable to this sort of physical infiltration. Merely that there
> are other common attacks to which it is less vulnerable, even when
> misconfigured.
>
> Regards,
> Bill Herrin
>
> --
> For hire. https://bill.herrin.us/resume/
> _______________________________________________
> NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/V7CEX3NOKEBU2K24RWEK75MOKFP5KFIB/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/W5Z6TSLIIY7HNEBD5NLGNQ56OJCDFQ27/