TransACT Cable Router

Robert Edwards Robert.Edwards at anu.edu.au
Wed Apr 2 09:20:19 EST 2003


On Tue, 1 Apr 2003 11:27 am, Dale Shaw wrote:
> I don't know about the Netgear RT314 but the Linksys model doesn't
> appear to include fully fledged firewalling capabilities. It says it
> provides firewalling via NAT, but NAT in itself only provides security
> by obscurity. It's not clear whether or not it would protect in any way
> an 'inside' host with an active translation from attacks on the
> Internet.
>
> Example: Inside host 192.168.0.1 makes a connection through the gateway
> and is translated into the xDSL interface's IP address, 203.1.2.3. Is
> the router going to stop someone connecting to an arbitrary port on
> 203.1.2.3, or will it simply pass it back through to the originating
> host? Sure, you can't directly target the inside host because its
> address isn't routeable on the Internet, but if the router is only doing
> NAT (or more accurately in this case, PAT or N-PAT) and not some form of
> packet filtering (stateful or not), you'll need to protect yourself with
> some host-based firewalling.
>

I'm not sure how the Netgear RT314 implements NAT (and I'm not sure what you 
mean by PAT etc.) but in normal NAT/IP-Masquerading, the router performs the 
reverse translation (for incoming packets) based on the entire 4-tuple of the 
connection (if it is TCP etc.) or similar for UDP. That is, it will take into 
the account the IP address of the external (publicly accessible) host in 
performing the reverse translation.

This mean that your inside machine is only susceptible on the one port that is 
open (or more than one, if you have multiple connections running) from the 
one external IP address you connected to.

I agree that there are lots of firewall functionality that this doesn't 
include, but NAT itself will stop all manner of port-scanning style attacks.

Cheers,

Bob Edwards.


More information about the linux mailing list