On Oct 26, 2015, at 11:34, Alec Muffett <alecm@fb.com> wrote:
Of course. All the cases where you set up a hidden service
exactly because your host is behing a NAT.
Like the webcam raspi I'm just booting up.

We run our tor daemons in a enclave network which can only connect outbound to the Internet, or backwards into infrastructure.

Also, it's probably wise to point out that NAT-punching (and/or SOCKS-punching outbound) reduces cost of HS adoption for organisations that don't want to rejig their network architecture to permit "yet another listener"; it's an attractive proposition to say "it only connects outbound and rendezvouses (sic?) in the middle of the tor cloud" #ohThatsOkayThenNoFirewallChanges