TransACT Cable Router
Robert.Edwards at anu.edu.au
Wed Apr 2 09:20:19 EST 2003
On Tue, 1 Apr 2003 11:27 am, Dale Shaw wrote:
> I don't know about the Netgear RT314 but the Linksys model doesn't
> appear to include fully fledged firewalling capabilities. It says it
> provides firewalling via NAT, but NAT in itself only provides security
> by obscurity. It's not clear whether or not it would protect in any way
> an 'inside' host with an active translation from attacks on the
> Example: Inside host 192.168.0.1 makes a connection through the gateway
> and is translated into the xDSL interface's IP address, 18.104.22.168. Is
> the router going to stop someone connecting to an arbitrary port on
> 22.214.171.124, or will it simply pass it back through to the originating
> host? Sure, you can't directly target the inside host because its
> address isn't routeable on the Internet, but if the router is only doing
> NAT (or more accurately in this case, PAT or N-PAT) and not some form of
> packet filtering (stateful or not), you'll need to protect yourself with
> some host-based firewalling.
I'm not sure how the Netgear RT314 implements NAT (and I'm not sure what you
mean by PAT etc.) but in normal NAT/IP-Masquerading, the router performs the
reverse translation (for incoming packets) based on the entire 4-tuple of the
connection (if it is TCP etc.) or similar for UDP. That is, it will take into
the account the IP address of the external (publicly accessible) host in
performing the reverse translation.
This mean that your inside machine is only susceptible on the one port that is
open (or more than one, if you have multiple connections running) from the
one external IP address you connected to.
I agree that there are lots of firewall functionality that this doesn't
include, but NAT itself will stop all manner of port-scanning style attacks.
More information about the linux