nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Lamar Owen <lowen () pari edu>
Date: Thu, 13 Jan 2011 17:14:20 -0500
On Thursday, January 13, 2011 04:32:17 pm Owen DeLong wrote:
No match, no rewrite, no forward.
This is what you're missing; 'no rewrite' does not mean 'no forward'. Non-rewritten packets along with the rewritten *are* forwarded to routing; in a firewall they're not forwarded to routing. What routing does with either packet isn't the NAT's concern. The clever network engineer can take advantage of this to do things with NAT that are difficult to do with firewalls. Now, policy routing can do the same things that NAT can do in this context, without the packet header munging. But if you're already needing to do the translation, NAT kills two birds with one stone. But, you are correct in that most folks lump the words 'NAT' and 'firewall' into the same process, when they are not. I do look forward to the day when NAT will not be necessary for any reason; route-maps and policy routing are more easily understood and just as powerful for the type of packet redirection that NAT enables, with its twist. (route-maps can be the source of the NAT translation, for that matter, in Cisco IOS NAT past a fairly old IOS version). Policy routing doesn't break protocols, either. But policy routing isn't firewalling, any more than NAT is. Even if the route-map points to a next hop of Null0. :-)
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Miquel van Smoorenburg (Jan 12)
- Re: Is NAT can provide some kind of protection? Scott Helms (Jan 12)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Scott Helms (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 13)
- Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Paul Ferguson (Jan 12)
- Re: Is NAT can provide some kind of protection? Jeff Kell (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Paul Ferguson (Jan 12)
- Re: Is NAT can provide some kind of protection? Justin Scott (Jan 12)
- Re: Is NAT can provide some kind of protection? Dobbins, Roland (Jan 12)