NAT as a firewall

security networking hacking firewall nat

With NAT, IP addresses in the internal network are not routable from the external one; the comparison with a firewall is not completely correct, because a firewall filters network traffic which, ordinarily, should be able to flow through it; NAT reshapes traffic that ordinarily shouldn't be able to flow that way, allowing it to flow under some specific rules.

A firewall guards a door that would be otherwise open.
A NAT opens a door where there isn't one.

With a firewall you could allow all traffic from the external network to the internal protected one; with a NAT you couldn't, even if you wished.

They're two totally different things, even if they're often confused; as far as security is concerned, a private-IP network behind a NAT is actually more secure than a public-IP network behind a firewall.

Update to respond to your example

That's exactly what I was talking about; in your case, 192.168.1.50 isn't addressable from the outside, so there's absolutely no way it can be accessed, unless you explicitely forward some external IP/port to it.


By default, a simple NAT would drop or reject any incoming connection to a non-mapped port. That by itself is the first and most important feature of a firewall. So yes, a NAT works as a limited firewall.

But there are two important limitations:

  1. By default, a NAT doesn't block any outgoing connection, so you're vulnerable to any kind of infection that gets inside somehow. The simplest example is a malicious webpage or email attachment. In many cases, these malware include very limited code in the first load, and need some 'assistance' from the outside. If you have a firewall with tight restrictions, it could block that step, stopping or slowing the damage.

    • A NAT's primary function is to facilitate connection, not to block it. Therefore it's usually desirable to offer some way to circumvent the inherent NAT limitation on incoming connections. UPnP, STUN, Teredo, SOCKS, etc. all make possible for a machine in your network to ask for incoming connections. A NAT that doesn't make them possible is seen as overly and needlessly restrictive; so the 'ideal' scenario is one where the NAT allows easy 'hole punching' and a proper firewall allows the administrator to apply policies.

Related

fast VNC server on Linux
Please help me add to this script to get server hardware info
Performance Benefits of Adding a Second Network
Don't use htpasswd if coming from local host
Is there a way for elegant source code listings in OpenOffice.org Writer?
Is there a way to export Word styles as CSS?
VIM - leaves .swp files after crash
git fetch: how to ignore new branches
Can I set the umask on a specific directory?
Is there a speed difference between transferring files over FTP and Samba?
Remote desktop to Win2k3 server starts new session
I've got RAM everywhere. How do I identify it?