Is NAT can provide some kind of protection?

Thu Jan 13 19:28:15 UTC 2011

On Wednesday, January 12, 2011 12:01:27 pm George Bonser wrote:
> With v4 PAT, you can not
> be sure which address/port on the external IP maps to which address/port
> on the inside IP at any given moment and PAT is stateful in that an
> outbound packet is required to start the mapping.  

On Cisco at least you can set up static PAT rules and have multiple internal hosts on a single external IP address with static NATting.  I've done this in the past, where a webcam application we were using absolutely insisted on binding port 80, and on another host the control application we were using also absolutely insisted on binding port 80, but, for several purposes, we wanted a single external address, so I set up an extendable NAT rule for port 80 on the external IP address to map to the webcam box's port 80, and port 8080 on the external IP address to map to the control application's port 80.  Worked fine.  But that wasn't for security, unless you consider that hiding the unused ports on those two machines is security.  Since then we've found that a lot of firewalls blocked the connection to port 8080, and we had to have the developer restructure the app to handle being on two IP addresses, which was nontrivial thanks to cross-site-scripting blockers.

Even my old Linksys WRT54G has 'port forwarding' rules that do static PAT.

> NAT66 is just
> straight static NAT that maps one prefix to a different prefix.

I'm sure that PAT is on the horizon, simply for plumbing purposes to connect the gozinta to the gozouta where wierd application requirements are found (having two applications and javascripts on a single page that access two different backend servers gets blocked by some cross-site scripting 'protections' and thus having the second connection muxed onto the same address can alleviate this).  Also, round-robin stateful PAT can be thought of as poor-man's load balancing, and has been used in that use case.

And there is the straight NAT non-BGP multihoming use case.  But that's also not for security, but for availability.  

If you wanted IPv6 PAT *now* you could contribute to the MAP66 project and write your own PAT66 (map66.sourceforge.net).  But it will be provided by someone; since when have technical issues alone ever kept a feature from being implemented? 