So we've known about this for years, but does anyone actually rely on this behavior in production, or are we all still pretending that this clever hack could be patched out of existence any day now?
It clearly works. It's worked for a long time. But the common opinion still seems to be "well, this isn't supposed to work, so using it is a bit dodgy..."
Well, you need just one NAT to be cooperative, like a full cone. There's enough legitimate interest in NAT traversal that big NAT deployments like CGNATs tend to cooperate
Traversing non-cooperative fully symmetric NATs, which randomize ports, is hard enough also for pwnat. Though in theory should be doable - you just need a lot of patience to brute force ports (there's only 64k of them) until it finally clicks
Um, no?
https://github.com/samyk/pwnat