I've been using NAT for a while at a particular site and my ISP assured me that it is a safe method of connecting to the internet via a permanent connection.

Or would I be better off using a firewall. I cannot see much of a difference and I like the principle of NAT. Can anyone comment ?

Thanks

Originally posted by Mr Chunder
I've been using NAT for a while at a particular site and my ISP assured me that it is a safe method of connecting to the internet via a permanent connection.

Or would I be better off using a firewall. I cannot see much of a difference and I like the principle of NAT. Can anyone comment ?

Thanks

I run a NAT router as a firewall for a home network and it's invisible to the network probe tools that crackers like to use. I do not allow any incoming connections at all, so there is really no service to exploit.

You can scan your own IP address on the NAT firewall with tools like the ones at:

http://hackerwhacker.com
http://www.sdesign.com/securitytest/index.html
https://grc.com/x/ne.dll?bh0bkyd2

If you plan on having any incoming services - like running an HTTP server or anything else where you accept unsolicited incoming traffic - then put up a firewall.

-t

Originally posted by thewitt


If you plan on having any incoming services - like running an HTTP server or anything else where you accept unsolicited incoming traffic - then put up a firewall.

-t

Thanks for the reply.

So, the essential difference between using NAT or a firewall is that firewalls can accept unsolicited traffic whereas the nature of NAT means that a machine must receive the packet first from a another machine protected by NAT before it can reply ?

You can open up ports in most NAT routers and allow unsolicited incoming traffic to be mapped to a specific port on a specific host inside the Router, but NAT does not provide any sort of filtering or control on those incoming packets - so at that time you would potentially need a firewall.

Early NAT routers did not allow any unsolicited incoming traffic and only worked to distribute response packets to the correct internal destinations - that is the source of the original request. Most now allow incoming traffic to be directed to a specific port on a specific device, but again, do not support actual firewall functions.

-t

I use a NAT firewall from Ramp Networks, and it works like a charm. Of course NAT does have it's limitations, some games don't work properly nor some internet apps, but there are usually some sort of work around.

Originally posted by JTY
Of course NAT does have it's limitations, some games don't work properly nor some internet apps, but there are usually some sort of work around.

I expect these types of problems are also shared with firewalls. I have heard about people that play games through NAT firewalls and they work ok. The problem, I guess, is that too many people just check IP addresses and none of the NAT information as well when uniquely identifying a host behind a NAT router.

What sort of work arounds are we talking about ?


Otherwise, in conclusion, it seems that if you want to offer web services to the internet (i.e. accept unsolicited traffic), then you can use a NAT router but really a firewall should be used to filter packets.

If you just want to accept the internet yourself (or from a company network), then NAT routing is fine.

By the way, what does filtering firewall packets mean ? On both solutions you have the option of switching on and off ports. If you setup a NAT router to send all unsolicited packets to, say, a web server behind the router only on port 80, then what benefit will a firewall give you. Surely the NAT router will reject attempts at opening other ports?

Thanks guys

With most NAT firewall products, you can "punch holes" in them. e.g. direct a particular port, to a particular machine.

Packet filtering is a process where packets are allowed/denied based on port and/or ip address.

Thanks JTY for keeping up with my annoying questions :cool:

Just a last question about packet filtering. You can still block ports on a NAT router but you say you can "punch holes" in them. Are you saying that all firewalls do not allow "punches" and that is the difference between them ?

Thanks.

Here's one example of how you might user a packet filtering firewall.

A packet filtering firewall can be used to block a DOS attack. The higher end firewall will even recognize this attack for what it is and block it on it's own.

A hole punched in a NAT firewall would simply allow the traffic to come through to your server. No packet filtering. No stopping the DOS attack.

A packet filtering firewall can be used to deny access to specific IP addresses you wish banned from getting to your services.

A NAT firewall generally only lets you open up traffic to come through a specific port, not make decisions on the traffic based on it's content and filter accordingly.

-t

Thanks thewitt,

I now finally see the difference. :cool: