[134902] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jan 12 16:33:13 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4D2E17A6.4090708@ispalliance.net>
Date: Wed, 12 Jan 2011 13:24:14 -0800
To: Scott Helms <khelms@ispalliance.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 12, 2011, at 1:05 PM, Scott Helms wrote:
>=20
>>=20
>> That's simply not true. Every end user running NAT is running a =
stateful firewall with a default inbound deny.
>=20
> Really? I just tested this with 8 different router models from 5 =
different manufacturers and in all cases the default behavior was the =
same. Put a public IP on a PC behind the router, tell the router how to =
connect (DHCP in this case), and leaving everything else as default =
meant that all traffic to the public IP was allowed through unless I =
configured rules. One of the Netgear models (IIRC) did block ICMP but =
any TCP or UDP traffic was allowed through. Now, this certainly isn't =
an exhaustive test, but it tested the devices we needed checked. If =
someone knows of a model that does block incoming (non-established TCP) =
traffic by default I'd like to know about it. That's especially true of =
combo DSL modem routers.
>=20
It may be that the default behavior of the models you tested is to turn =
off the stateful firewall if there's a public
inside address, but, the same code that does the stateful inspection for =
NAT can do it without NAT if the
vendor chooses.
I suspect that the vendors chose to automatically disable stateful =
inspection to avoid tech support calls from
ignorant users with public IPs that didn't understand why their packets =
weren't getting through.
Owen
