[134890] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (david raistrick)
Wed Jan 12 16:01:30 2011
Date: Wed, 12 Jan 2011 15:53:07 -0500 (EST)
From: david raistrick <drais@icantclick.org>
To: Chris Adams <cmadams@hiwaay.net>
In-Reply-To: <20110112203116.GA9385@hiwaay.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, 12 Jan 2011, Chris Adams wrote:
> Yes, they do. NAT requires a stateful firewall. Why is that so hard to
> understand?
Um. No. NAT requires stateful inspection (because NAT needs to maintain
a state table), but does not require a stateful firewall. You can (and
many CPE appliances do/did) have no firewall, or stateless firewall in
front of NAT.
All NAT does is give you an implied deny-all-inbound rule, but doesn't, in
and of itself, prevent someone probing open (configured by you or the
vendor) ports that are forwarded or on the device. Or from having
unfettered inside access of 1 internal IP if you NAT all external ports to
an internal IP.
--
david raistrick http://www.netmeister.org/news/learn2quote.html
drais@icantclick.org http://www.expita.com/nomime.html
