> you can absolutely NAT without preventing the "outside" subnets from being all... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Tractor8626 37 days ago \| parent \| context \| favorite \| on: Self-hosting a NAT Gateway > you can absolutely NAT without preventing the "outside" subnets from being allowed to route to the "inside" subnet Under very specific conditions. Technically if you send packet with destination 192.168.1.10 directly to wan port of router - yes it can route it inside. The problem - how to deliver this packet over internet. You need to be connected to exactly same network segment to pull it off. And you don't need statefull firewall to deny this kind of packets.

zamadatix 36 days ago [–]

But the NAT is the part making more things reachable, not less.

You need state to block only inbound originated sessions (i.e. the one way door to a private subnet).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact