It isn’t going to be one or the other (if they don’t offer a 401k, then you can use IRAs), unless you just make a bad choice. An employer can contribute to a 401k and also provide a pension (mine used to but I’ve been around long enough that I get both the pension and 401k with matching) but if I had a choice, I could pick a pension for example but also put money into an IRA for retirement that would normally go to a 401k.

If you absolutely had to pick one, it isn’t going to be the same answer for everyone. Amounts, what you’re able to contribute, matching, risks and tax situations are going to vary from person to person and their employer.

As far as controlling your money, some 401k’s allow some extra control, some don’t but most have a middle ground except for their company stock which you can usually directly buy. If you’re 401k allows general different ‘markets’ and/or ‘lifecycle’ buckets (they get more conservative on investment risk the closer you get to your retirement age) is, at the end of the day, all controlled by a broker and they are making the actual decision as to what to invest and how. Some plans may allow you to invest into individual stocks through the 401k’s brokerage though.

At the end of the day though, if all you had was a pension offered which you aren’t going to be contributing your income to, then you should invest in some sort of retirement plan yourself, be it an IRA, money market, bonds, CDs or whatever.

They can spend as much time as they want with the patient. The insurance simply caps how much is billable.

Having a NAT on a consumer router is indeed the norm. I don’t even see how you could say it is not.

I never said NAT = security. As a matter of fact, I even said

It was not designed for security but coincidentally blah blah

But hey, strawmanning didn’t stop your original comment to me either, so why stop there?

Let me tell you: All. Modern. Routers. include a stateful firewall.

I never even implied the opposite.

To Linux at least, NAT is just a special kind of firewall rule called masquerade.

Right, because masquerade is NAT…specifically Source NAT.

I’m just going to go ahead an unsubscribe from this conversation.

So, really, you were “correcting” me for you and your specific setup at the very beginning because your router’s firewall has a deny rule for all inbound connections because I must have been confusing what a NAT and what a firewall is because I must have been talking about your specific configuration on your specific devices.

Holy. Fucking. Shit.

Are you saying that everyone’s router’s firewall drops all packets from connections that originate from outside of their network?

Because, as I said:

layer 7 firewalls for the network which are going to be where most the majority of attacks are concentrated.

The NAT doesn’t have to operate at layer 7 to be effective for this because

coincidentally it is doing the heavy lifting for home network security because it is dropping packets from connections originating from outside the network, barring of course, forwarded ports and DMZ hosts because the router has no idea where to route them.

The point is that the SPI firewalls are not protecting against the majority of the attacks we’ve seen for decades now from botnets and other arbitrary sources of attacks, except, perhaps targeted DDoSing which isn’t the big problems for most home networks. They must worry about having their OS’ and software exploited and owned in the background, which doesn’t get much of an assist from a router’s firewall.

Obviously, this is however true for the NAT since the NAT are going to drop connections originating from outside the network attempting to communicate with that software to exploit it

barring of course, forwarded ports and DMZ hosts because the router has no idea where to route them.

They are not layer 7 firewalls for the network which are going to be where most the majority of attacks are concentrated. No citation needed unless you believe they are layer 7 firewalls or using something like Snort.

Added some clarification in my first sentence so it makes a bit of sense.

The word you are looking for is firewall not NAT.

No the word I’m looking for is the NAT. It was not designed for security but coincidentally it is doing the heavy lifting for home network security because it is dropping packets from connections originating from outside the network, barring of course, forwarded ports and DMZ hosts because the router has no idea where to route them.

Consumer router firewalls are generally trash, certainly aren’t layer 7 firewalls protecting from all the SMB, printer, AD, etc etc vulnerabilities and definitely are not doing the heavy lifting.

By and large automated attacks are not thwarted by the firewall but by the one-way NAT.

You’d better hope that you can NAT ipv6 because if you aren’t behind a CGNAT and then your LAN is completely exposed without a NAT you’re very likely going to have devices exploited.

NATs on people’s boundary has been doing pretty much all of the heavy lifting for everyone’s security at home.