But NAT acts as a one way door to your private subnet, doesn't it?

zamadatix · 2025-11-22T12:08:34 1763813314

The firewall provides the stateful one way door, the router moves packets between the set of subnets it can see, and NAT makes it so things on the public internet think the conversations from one private address+port combo are actually coming from another public address.

The last part isn't adding the security, and you can absolutely NAT without preventing the "outside" subnets from being allowed to route to the "inside" subnet, it's just that NAT is almost always done on the box providing the stateful firewall too so people tend to think of the 3 functions as combined in concept as well.

Tractor8626 · 2025-11-22T15:57:39 1763827059

> you can absolutely NAT without preventing the "outside" subnets from being allowed to route to the "inside" subnet

Under very specific conditions. Technically if you send packet with destination 192.168.1.10 directly to wan port of router - yes it can route it inside. The problem - how to deliver this packet over internet. You need to be connected to exactly same network segment to pull it off.

And you don't need statefull firewall to deny this kind of packets.

zamadatix · 2025-11-23T00:12:46 1763856766

But the NAT is the part making more things reachable, not less.

You need state to block only inbound originated sessions (i.e. the one way door to a private subnet).