Is NAT can provide some kind of protection?

Scott Helms khelms at
Wed Jan 12 15:05:42 CST 2011

> That's simply not true. Every end user running NAT is running a stateful firewall with a default inbound deny.

Really?  I just tested this with 8 different router models from 5 
different manufacturers and in all cases the default behavior was the 
same.  Put a public IP on a PC behind the router, tell the router how to 
connect (DHCP in this case), and leaving everything else as default 
meant that all traffic to the public IP was allowed through unless I 
configured rules.  One of the Netgear models (IIRC) did block ICMP but 
any TCP or UDP traffic was allowed through.  Now, this certainly isn't 
an exhaustive test, but it tested the devices we needed checked.  If 
someone knows of a model that does block incoming (non-established TCP) 
traffic by default I'd like to know about it.  That's especially true of 
combo DSL modem routers.

Scott Helms
Vice President of Technology
ISP Alliance, Inc. DBA ZCorum
(678) 507-5000
Looking for hand-selected news, views and
tips for independent broadband providers?

Follow us on Twitter!

More information about the NANOG mailing list