Is NAT can provide some kind of protection?

Owen DeLong owen at
Wed Jan 12 15:24:14 CST 2011

On Jan 12, 2011, at 1:05 PM, Scott Helms wrote:

>> That's simply not true. Every end user running NAT is running a stateful firewall with a default inbound deny.
> Really?  I just tested this with 8 different router models from 5 different manufacturers and in all cases the default behavior was the same.  Put a public IP on a PC behind the router, tell the router how to connect (DHCP in this case), and leaving everything else as default meant that all traffic to the public IP was allowed through unless I configured rules.  One of the Netgear models (IIRC) did block ICMP but any TCP or UDP traffic was allowed through.  Now, this certainly isn't an exhaustive test, but it tested the devices we needed checked.  If someone knows of a model that does block incoming (non-established TCP) traffic by default I'd like to know about it.  That's especially true of combo DSL modem routers.
It may be that the default behavior of the models you tested is to turn off the stateful firewall if there's a public
inside address, but, the same code that does the stateful inspection for NAT can do it without NAT if the
vendor chooses.

I suspect that the vendors chose to automatically disable stateful inspection to avoid tech support calls from
ignorant users with public IPs that didn't understand why their packets weren't getting through.


More information about the NANOG mailing list