Is NAT can provide some kind of protection?
david raistrick
drais at icantclick.org
Wed Jan 12 20:53:07 UTC 2011
On Wed, 12 Jan 2011, Chris Adams wrote:
> Yes, they do. NAT requires a stateful firewall. Why is that so hard to
> understand?
Um. No. NAT requires stateful inspection (because NAT needs to maintain
a state table), but does not require a stateful firewall. You can (and
many CPE appliances do/did) have no firewall, or stateless firewall in
front of NAT.
All NAT does is give you an implied deny-all-inbound rule, but doesn't, in
and of itself, prevent someone probing open (configured by you or the
vendor) ports that are forwarded or on the device. Or from having
unfettered inside access of 1 internal IP if you NAT all external ports to
an internal IP.
--
david raistrick http://www.netmeister.org/news/learn2quote.html
drais at icantclick.org http://www.expita.com/nomime.html
More information about the NANOG
mailing list