Posted by: Scott Wunsch
on January 27, 2004 03:26 AM
NAT does not provide security. A stateful packet filtering firewall doesn't have to do any more work than a NAT device (tracking connections), and provides exactly the same level of security as using NAT.
To put it in Linux terms, the following setup provides the same security as NAT:
<TT>iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -j REJECT</TT>
But if you actually want to open up a port on the machine behind that firewall, it's easy. Doing so with NAT introduces extra complexity.
NAT also complicates troubleshooting. Without NAT, you can sniff the traffic at any point along the path of the packet, and you should see the same picture. If you don't see the same picture, then you know where the problem is. But with NAT, the IP addresses involved change at a certain point, and in a busy network, it becomes difficult/impossible to disentangle the traffic generated by a particular machine.
NAT also complicates tracking down the source of network abuse or other traffic that might need to be tracked. The IP address you see on the receiving end maps to many different potential sources, and the administrator of the source network likely has no way to determine which internal machine was responsible for it.
Learn about Linux
Download Linux
Get Linux help
I hate NAT :-)
Posted by: Scott Wunsch on January 27, 2004 03:26 AMTo put it in Linux terms, the following setup provides the same security as NAT:
But if you actually want to open up a port on the machine behind that firewall, it's easy. Doing so with NAT introduces extra complexity.
NAT also complicates troubleshooting. Without NAT, you can sniff the traffic at any point along the path of the packet, and you should see the same picture. If you don't see the same picture, then you know where the problem is. But with NAT, the IP addresses involved change at a certain point, and in a busy network, it becomes difficult/impossible to disentangle the traffic generated by a particular machine.
NAT also complicates tracking down the source of network abuse or other traffic that might need to be tracked. The IP address you see on the receiving end maps to many different potential sources, and the administrator of the source network likely has no way to determine which internal machine was responsible for it.
#