You're joking, right?
A firewall doesn't just do NAT, it does a lot more.
A firewall doesn't do NAT at all. It's a firewall--a packet filter. The fact that the code for firewalls and NATs occupy the same space is merely indicative of a lot of shared responsibility. It makes sense to put your NAT in the same place you put your firewall, because a lot of what both do is shared. But they are absolutely not dependent on one another for operation. There are a lot of NATs out there which provide limited or no security whatsoever. And their firewalls which provide packet filtering for publicly routed address space, but no translation.
The point I am making is that, in IPv4, you have to run a firewall because you have to run a NAT. In fact, my IPv4 NAT also provides very limit ed security, too, but by virtue of its state tables, it does provide some security--security I would sooner dispense with, I might add. But because I have only one IPv4 address now, I don't have a choice about imposing a NAT between the public and private networks.
It provides rate-limiting, it blocks all ports except the ones you want, it allows you to lock down the attack surface of your systems.
None of that is necessary because properly secured hosts simply don't require a defensive security posture to be secure. If your problem is the attack surface, then reduce the attack surface. If your problem is too many requests, then limit the available resources your OS and software consumes, or if that is not possible, use IPsec associations at either end to provide legitimate authentication. Trying to "protect" your hosts by simply denying incoming traffi c, on the theory that they are safe as long as they can't be reached from the outside, while permitting any and all traffic outbound, is an utterly obsolete and discredit security model. Just ask Sony.
Firewalls are nowhere near obsolete. Yes your hosts can "hide" in ipv6 space, but that doesn't mean it will never get attacked...
The IPv6 Internet is end-to-end; traffic can and should reach the host it is destined for. Hosts must be secure on unprotected networks, especially now that they are becoming more and more mobile. You must not rely on perimeter security. I could understand a default filtered posture for firewall-equipped routers only because of the woeful state of host security today (basically IoT and Windows) but it mustn't be the end goal, because there are simply too many other ways to bypass the perimeter (like, say, that IoT stuff which builds gratu itous outbound tunnel sessions just to work properly). I appreciate that this is a radical approach, but it really is the only long-term goal. If you disagree, then put your firewall rules where your mouth is: build a state-tracking firewall that only permits outbound sessions you explicitly approve.
I said it was a whole other discussion.
_______________________________________________ Audiogames-reflector mailing list Audiogamesfirstname.lastname@example.org https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector