Is NAT can provide some kind of protection?

Valdis.Kletnieks at Valdis.Kletnieks at
Wed Jan 12 11:16:27 CST 2011

On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:

> In a client (rather than server) scenario, the picture is different.
> Depending on the specific "NAT" technology in use, the firewall may be
> incapable of selecting a target for unsolicited communications inbound
> from the public Internet. In fact, it may be theoretically impossible
> for it to do so. In those scenarios, the presence of NAT in the
> equation makes a large class of direct attacks on the interior host
> impractical, requiring the attacker to fall back on other methods like
> attempting to breach the firewall itself or indirectly polluting the
> responses to communication initiated by the internal host.

Note that the presence of a firewall with a 'default deny' rule for inbound
packets provides the same level of impracticality. And given the fact that
Windows has had a reasonably sane host-based firewall since XP SP2, and the
truly huge number of compromised PC's that sit behind a NAT on a DSL or
cablemodem, it's pretty obvious that the presence of NAT is doing approximately
*zero* to actually slow down the miscreants.

140 million compromised PC's, most of them behind a NAT, can't be wrong. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list