That's a great point - the packet is not dropped by the firewall as a result of NAT - but it still won't route anywhere because the IP in the packet is that of the router itself. I've updated the article as a result of your comment, thanks.
It might be the IP of the router, in which case the router itself will accept the connection if something is listening (like the web interface perhaps). But whoever sent you the L2 frame has full control over the contents of the IP in the packet, so it could be anything.
So, if you have NAT but a grossly misconfigured router, it might not be secure?
Quick question - do you think that "security by obscurity is not security"? And, as a follow-up, when you park your car do you ensure your laptop bag is out of sight, maybe locked away in the boot?
Because here's a mindblowing concept that'll change the way you see the world - you can have a door lock but it won't make you secure. You need to actually fit the lock to some sort of door.
If you have NAT, that doesn't tell you anything about whether the router is secure. All it tells you is that outbound connections made through the router will appear to come from the router's own IP; it doesn't tell you whether inbound connections will work or not.
Repeating the same wrong points doesnt make you right.
Every NAT based product will have a firewall built in also by default. And it'll be deny-all except for conn-tracked.
And that L2 attack is a martian packet. Why are you allowing reserved IPs talk on public network interfaces (hello, spoofing and obvious at that)? These are always blocked due to the reasons you describe.
That's only because your ISP won't have routed that packet to you if someone gave it to _them_. However, if someone was able to get to the ISP-side of the connection that you have with your ISP, and send a packet down the fiber/copper line from the ISP side towards your router, and that packet has a dst of your internal network (192.168.0.1 or whatever), your router will happily route that straight on to whatever internal network you have.
This means that if someone decided to be a bad actor and start tapping fiber lines on the poles in your neighborhood, NAT would do literally nothing to protect you from all the packets they start sending your way.
Yes, physical tapping of lines / ISP attacks were outside of the threat vector I was discussing. At this point, I think any discussion of NAT starts to look a little orthogonal.
If somebody is wishing to tap fiber optics lines to the ISP or to hack the ISP just to get to your router, then you probably are not going to be saved by a "default deny" firewall anyway.
IPv4 is not NAT-by-default. The reality of the world we live in today is that most home networks have a NAT, because you need multiple devices behind a single IP.
That said, I agree: it's quite unknowable how many services I've turned on on local machines with the expectation that a router firewall sat between me and potential clients.
But that doesn't go away with IPv6 - the NAT does, the router doesn't, and the firewall shouldn't either. For example, the default UniFi firewall rules for IPv6 are: 1. Allow Established/Related Traffic (outbound return traffic), 2. Block Invalid Traffic, 3. Block All Other Traffic
You must explicitly open a firewall rule for inbound IPv6 traffic. NAT is not the firewall.
The article actually remarks on this kind of argument.
While you are technically correct about NAT not being a firewall, it is in practice a widely used front-line defense which even if not “perfect”, it has indisputably
proven to be quite effective against a lot of malicious activity.
Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.
Kind of like physical home security, a lot of it is very easy to bypass, but it’s good enough for the common threats.
> Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors.
Maybe, maybe not, but regardless 99% of people are not protected by a NAT. They are protected by a "proper firewall," which happens to support NAT (and typically, is enabled for IPv4 networks.)
That is to say, while most home routers support NATs, they also ship with a default-deny firewall turned on. Typically, enabling NAT mappings also configures the firewall for users. But they are not the same thing and we need to stop conflating them because it causes a lot of confusion when people think that IPv6 is "open by default" and that IPv4 is "protected by NAT." It's not. They are both protected by your router using the same default-deny firewall.
This is BS. "Default deny" or "default accept" makes no practical difference with NAT. You can leave the "default accept" rule with NAT and you'll be perfectly fine except in some weird edge cases.
That's because it's exploitable only if you control the next hop from the NAT router, which is typically within the ISP infrastructure. So the attacker will need to either hack your ISP or mess with your NAT router's physical uplink.
A default deny firewall is a good idea to protect services everywhere in your network, including those which run on the router itself (e.g. many routers run a local DNS server.) Without NAT, packets are not dropped, they simply do not have their destination rewritten to another device on the network. The traffic is still destined for the router and will be processed by it. This is why routers ship with a default-deny firewall rule.
NAT is not a firewall. It is address translation. It will not drop packets.
Sure, a default deny is a good idea. However, it's not _critical_. If you forget to enforce it on your NAT router, you'll be fine. And if you are behind a CGNAT, it's even safer.
In IPv6 it becomes absolutely essential. If you forget to include it, your network becomes wide open. And you don't have an easy way to detect this because you need an external service to probe your network.
> NAT is not a firewall. It is address translation. It will not drop packets.
Yes, it is a firewall because it enables the address space isolation.
You have to squint a little and see they mean that most consumer routers don't map inbound unsolicited packets to anything internal unless the user specifically configured it to. Which is basically a firewall.
That's not true in my experience, consumer grade routers will often happily route packets with rfc1918 destination addresses from the WAN to the LAN interface all day. The "firewall" is only that nobody can get packets with those destination addresses to the home router's WAN interface through the internet.
Nope, it's the default behavior of a typical firewall. NAT rewrites packets but it never drops packets. An un-rewritten packet may fail to route (i.e. "destination unknown".) But that depends on the destination in the packet.
> I've slept with my watch for a while (stopped because the battery is crap and I need to charge it every day or it won't last past noon the next day) and I've had the same adjustment period.
I'm guessing this is an Apple Watch? Garmins typically last a week or more.
Samsung Galaxy Watch from years ago, still running Tizen. Got it as a company Christmas present, so I'm not too fussed about the mediocre battery life. From what I can tell the Garmin models in the same price range don't last much longer either.
If it makes you feel any better, I've got a perhaps Galaxy Watch 7 from almost a year ago or so running wearOS, and it's battery life is at best at the 36 hour mark regardless. Came from an older tizen-based watch with similar battery life, and at least wearOS is far more funtional.
Due to discrimination and bullying. There goes freedom of expression out of the door. Fortunately that crazy ship has long sailed and nowadays he'd have enough support to resist and publicly voice his opinions without personal attacks.
I think there is a very large difference between citizen activism (i.e. boycotts which can lead to resignations) and government authoritarianism. I have no problem with people exercising their right to free speech - including both Brandon Eich, and Firefox users.
No government official spoke up to have Brandon Eich fired, or bullied him or anything like that. His defenestration wasn't driven by government. Brandon Eich said some things, and the community around him judged those things and reacted to it. That's means that we're not talking about free speech any more. You have no right to speak and force other people to listen without social consequence, you do have a right to speak without the government retaliating. But other people are free to react to your speech as well, and to speak out in opposition to you.
A lawyer once described what you are calling Free Speech as merely "Protection of the First Speech." You believe that Brandon Eich should be able to speak (the first speech), but that the other people around him should not be able to say what they want in reaction to it (the second speech). Brandon Eich did say things without any government retaliation- and the people who worked at Mozilla didn't want to be associated with that, and so he chose to resign before the organization fell apart. Because those people around Mozilla have free speech rights as well, they are not forced to associate with Mozilla.
Similarly, a company choosing to fire an employee because of their speech is not really a free-speech issue. The company can fire you for pretty much any reason (at least in America- some countries have stronger worker protections), because they don't want to be associated with you any more. On the other hand, if a Government official suggests that you should be fired for something you said in your private life, then your free speech rights are being violated, even if the company does not fire you. It is only when the government gets involved that it becomes a Free Speech issue.
Obligatory XKCD to help you understand why you are wrong about what "Free Speech" means: https://xkcd.com/1357/
No need for "government official". There were plenty of non-government official branches such as media and social networks that were demonstrated to work as shadow tools for imposing heavy censorship around specific agendas. Up until the recent election so was the case for the large majority of mainstream social networks and legacy media.
The whole corona fabrication wasn't that long ago when governments directly mandated to silent dissident voices (even the scientific ones) and push a whole group of normal people into burning anyone who'd point out the obvious inconsistencies.
The First Amendment right exists in large part to enable and encourage non-governmental news reporting - to avoid a world in which government officials can dictate "reality" or "truth."
The Guardian is actually a British publication, which is a bit orthogonal from the original discussion of US free speech. It might be more accurate to say that this was part of an international political conversation. This is because Bradon Eich, the leader of an organization which provides products internationally, made public donations to political groups that seek to strip rights from others. He has a first amendment right to do so.
As OP states, the rest of the world has a right (in the US, legally; elsewhere, perhaps morally) to respond to Brandon Eich, and Mozilla. If they believe that his views may influence the organization negatively - either due to bad press or through his other behaviors within the organization - they are also granted free speech to call out this behavior.
What we are seeing now is actual government agencies and officials working hard to remove people from their jobs - both in the public and private sectors - in response to views that don't align with their own.
It's not clear to me what your argument is exactly.
My argument is that he contributed to a ballot initiative that passed (meaning the majority supported it), but he was still targeted and lost his job because media platforms targeted him.
To quote Andrew Sullivan
> "McCarthyism applied by civil actors".
When people with large platforms target you, you're just as screwed regardless of their status as elected officials. To be outraged by one and excuse the other is laughable.
This pretty much sounds like my dream vibe coding dashboard - basically a personal Github populated by AI agents I can assign tasks to. Does this exist yet? Or can something like gitea be setup to behave this way?
In terms of issue tracking and agentic "developers", with a mobile focus -
You can connect Linear to Cursor's web agent, which makes Linear issues assignable to the agent directly and kicks off Cursor's take on remote coding agent. You can then guide it further via Cursor's web chat.
If Claude Code on iOS supported Linear MCP (as it does on desktop), you can run a similar issue handoff to agent to issue update workflow, albeit without direct issue assignment to the agent "user". Easy to use labels aka tags for agent assignment tracking, as well.
For my hobby projects, I've been using Linear + agentFlavorOfTheMonth quite happily this way. I imagine Github issues, Asana, whatever could be wired up in place of Linear.
Steve Yegge is building awesome things in this space, but I've found them too heavy, started using bd when it was small, but now its trying to do too much IMO, so made a clone, tailored to my use case -> https://github.com/cloud-atlas-ai/ba
durch - just starred this repo! Looking forward to testing it out as I learn how to build with multiple agents.
I'm just starting out with building with Claude - after a friend made this post he sent me a Steve Yegge interview (https://m.youtube.com/watch?v=zuJyJP517Uw). Absolutely loved it. I come from an electrical/nuclear engineering background - Yegge reminds me of the cool senior engineer who's young at heart and open to change.
> Use of AAS in combination with alcohol largely increases the risk of violence and aggression.
> Based on the scores for acute and chronic adverse health effects, the prevalence of use, social harm and criminality, AAS were ranked among 19 illicit drugs as a group of drugs with a relatively low harm.
It's hard to get good research data on extreme abuse of illegal drugs, for obvious reasons.
But seriously, Mastodon, etc. are cool, but there's gotta be a way we can augment RSS to get most of what we want?
reply