Re: NAT on router vs. firewall

[Bill_Royds () pch gc ca]

How would you implement rules on firewall based on source address or
destination address?. The firewall would only see the NAT versions of
IP
numbers so would not have any basis other than port to filter.
781.321.6000 >>

 Yes, the firewall only needs to see NAT'd addresses, but usually you
have a one to one mapping for destination addresses inside your
network, therefore you can apply rules just as tightly.  For traffic
coming in from outside (e.g. the internet) usually you're not going to
know the source address anyway, so I find it easier to translate these
to a pool of NAT'd addresses so that the firewall then knows that
anything coming in from 40.10.10.x (say) is actually an Internet
address.

 Neil Pike MVP/MCSE
 Protech Computing Ltd





What do you do for a service that you want to limit to a known set of
source IP numbers?
Ypu wopuld have to have your router have a number of filter rules on input
IP which eventually makes your router an inefficient secondary firewall.
 I know that dedicated hackers can spoof source IP numbers but a casual
cracker has more difficulty so filtering on source IP (which a firewall can
do more readily than a router) raises the bar to attacks. One has to fake a
source IP, fake the sequence numbers, capture replies ..., rather than just
call the router with a session.