nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is NAT can provide some kind of protection?

From: Scott Helms <khelms () ispalliance net>
Date: Wed, 12 Jan 2011 16:05:42 -0500



That's simply not true. Every end user running NAT is running a stateful firewall with a default inbound deny.
Really? I just tested this with 8 different router models from 5 different manufacturers and in all cases the default behavior was the same. Put a public IP on a PC behind the router, tell the router how to connect (DHCP in this case), and leaving everything else as default meant that all traffic to the public IP was allowed through unless I configured rules. One of the Netgear models (IIRC) did block ICMP but any TCP or UDP traffic was allowed through. Now, this certainly isn't an exhaustive test, but it tested the devices we needed checked. If someone knows of a model that does block incoming (non-established TCP) traffic by default I'd like to know about it. That's especially true of combo DSL modem routers. 


--
Scott Helms
Vice President of Technology
ISP Alliance, Inc. DBA ZCorum
(678) 507-5000
--------------------------------
Looking for hand-selected news, views and
tips for independent broadband providers?

Follow us on Twitter! http://twitter.com/ZCorum
--------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: