-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 1 Oct 2003, Matthew Gregan wrote:
> On Wed, Sep 24, 2003 at 04:41:21PM +1200, David Zanetti wrote: > > > That depends on a lot of factors and exactly what you define as a > > "packet filter" or a "firewall". > > Yes, and it depends what you define "NAT" as, too. Are we talking > source NAT, destination NAT, both src and dst NAT, port address > translation, 1:1, 1:M/M:1 or N:M translation? 99.9% of the cases where people use NAT is it's address overloading form. Not many people have spare /24s or whatever lying around to do 1:1 NAT variants. I deliberately withheld talking about 1:1 NAT purely because if you're in a position where it's useful, I assume you have enough clue to recognise you'll need to firewall in addtion to any NAT configuration for the hosts involved in the 1:1 translation. > Those who are claiming that NAT is "almost as much protection as a > firewall" are making the assumption that we're talking the configuration > the average home user may have; multiple machines with RFC1918 addresses > and an Internet connected machine with a public IP address acting as a > gateway, i.e. M:1 source address NAT aka port address translation. Sure. But to complicate the description for the rare case of 1:1 does nothing to help people who want to know if their common address overloaded NAT is safe enough. We could get into semantic arguments about "safe enough" if you want as well. > > A stateless packet filter will provide very little protection against > > inbound data, due to it's lack of state awareness. In order for a > > stateless filter to work, you have to allow all empherical ports > > (that's ports 1024-65535) as a destination port to your address > > because those are the ports used for the local end of the connection. > > Remember: TCP has _two_ ports, a remote destination port and a local > > source port. > > A stateless packet filter that is dropping all packets has a pretty good > chance of stopping inbound data. But it's not very useful. I assume, perhaps wrongly, that people would like to use their Internet connection. Sure, a filter which drops everything in any direction is "working", but I suspect the users on either side will have a difference perspective. > > This works with all IP protocols, including UDP. Statefull packet > > filters are therefore inherently less risky than stateless filters. > > Whereas NAT does not. NAT does not what? > > NAT is typically implemented as a side effect of crossing some > > boundry. NAT requires a similar idea of connection state as a > > There's no "side effect". You need to deliberately configure the > router/gateway to perform NAT. With all due respect, I believe it's the easiest way to describe the effect of configuring NAT without getting into the chains and where they interact with the stack. It _feels_ like a side-effect which is the point I was making. Of course you need to configure it explicitly. > > statefull filter because there needs to be some way to untranslate the > > incomming packets. As a result, you end up with more or less the same > > results using NAT as a statefull filter. > > The state table used for NAT and the state table used for stateful > packet filtering are often combined. Not because NAT and packet > filtering are the same, but because they both have a requirement to > record state of packet flows. Which is the same effect in address overloaded NAT. There's no functional difference between the tables being maintained by connection tracking for a non-NAT connection, and connection tracking from NAT. Both behave largely the same. > NAT does NOT protect the machine with the public IP address. Never said it did. I believe the question was about protection of machines behind the NAT point, not the point itself. - -- David Zanetti | (__) #include <geek/unix.h> | ( oo Mooooooo http://hairy.geek.nz/ | /(_O ./ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.75-6 iD8DBQE/es7NT21+qRy4P+QRAn/VAKDzpTcqINFM+wpIfTbMzQ4uJGChJQCeM7it TNGuy9mk4bZWg7e6wIv6EFA= =NDOJ -----END PGP SIGNATURE-----
