Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Filtering packets that don't match a criteria (such as a destination port) is done by a firewall, in addition to the NAT. These are typically used together, such as in the "full-cone" situation you described.

Yes, I'm making a pedantic argument about terminology, but it's an important one because IPv6 means we can remove just the NAT part - all of the other filtering/etc features can remain. The goal is to make all devices addressable globally[1], which some people assume is a change in security. That isn't a correct assumption, as an IPv6 router (with a stateful firewall) should drop the same types of packets as their current IPv4-with-NAT router.

[1] NAT badly damages the network by imposing an imprimatur[2] on the hosts behind the NAT.

[2] https://www.fourmilab.ch/documents/digital-imprimatur/




But filtering packets because you don't have a routing destination is not done by a firewall. If I send a packet destined for 253.7.7.7 to a pure router, it will get dropped.

The routing engine on the outside port has a destination for 15.x.x.x. Those packets go into the NAT engine. It does not have a destination for 10.x.x.x. Those packets suffer the same fate they would if you gave them to any router in the middle of the internet. Nowhere to send, abort.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: