The article actually remarks on this kind of argument.
While you are technically correct about NAT not being a firewall, it is in practice a widely used front-line defense which even if not “perfect”, it has indisputably
proven to be quite effective against a lot of malicious activity.
Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.
Kind of like physical home security, a lot of it is very easy to bypass, but it’s good enough for the common threats.
> Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.
Maybe, maybe not, but regardless 99% of people are not protected by a NAT. They are protected by a "proper firewall," which happens to support NAT (and typically, is enabled for IPv4 networks.)
That is to say, while most home routers support NATs, they also ship with a default-deny firewall turned on. Typically, enabling NAT mappings also configures the firewall for users. But they are not the same thing and we need to stop conflating them because it causes a lot of confusion when people think that IPv6 is "open by default" and that IPv4 is "protected by NAT." It's not. They are both protected by your router using the same default-deny firewall.
This is BS. "Default deny" or "default accept" makes no practical difference with NAT. You can leave the "default accept" rule with NAT and you'll be perfectly fine except in some weird edge cases.
That's because it's exploitable only if you control the next hop from the NAT router, which is typically within the ISP infrastructure. So the attacker will need to either hack your ISP or mess with your NAT router's physical uplink.
A default deny firewall is a good idea to protect services everywhere in your network, including those which run on the router itself (e.g. many routers run a local DNS server.) Without NAT, packets are not dropped, they simply do not have their destination rewritten to another device on the network. The traffic is still destined for the router and will be processed by it. This is why routers ship with a default-deny firewall rule.
NAT is not a firewall. It is address translation. It will not drop packets.
Sure, a default deny is a good idea. However, it's not _critical_. If you forget to enforce it on your NAT router, you'll be fine. And if you are behind a CGNAT, it's even safer.
In IPv6 it becomes absolutely essential. If you forget to include it, your network becomes wide open. And you don't have an easy way to detect this because you need an external service to probe your network.
> NAT is not a firewall. It is address translation. It will not drop packets.
Yes, it is a firewall because it enables the address space isolation.
You have to squint a little and see they mean that most consumer routers don't map inbound unsolicited packets to anything internal unless the user specifically configured it to. Which is basically a firewall.
That's not true in my experience, consumer grade routers will often happily route packets with rfc1918 destination addresses from the WAN to the LAN interface all day. The "firewall" is only that nobody can get packets with those destination addresses to the home router's WAN interface through the internet.
Nope, it's the default behavior of a typical firewall. NAT rewrites packets but it never drops packets. An un-rewritten packet may fail to route (i.e. "destination unknown".) But that depends on the destination in the packet.
