TransACT Cable Router

Dale Shaw DShaw at
Wed Apr 2 10:05:40 EST 2003


Yeah -- brain wasn't fully engaged when I was thinking about how the
device might handle packets targeted for its visible address when PAT
(or more accurately "Network Address Port Translation (NAPT)") is used
as distinct from basic NAT (one-to-one or many-to-many). RFC1631 is all
over the shop, but it doesn't talk about translating TCP and UDP port
numbers. RFC2663 seems to exist because of confusion around NAT-related
terminology (I'd never heard of "IP Masquerading" until I used Linux and
ipfwadm in about 1993; I wish the term would go away).

I was talking about out of band connection attempts to the xDSL
interface's IP address -- obviously in a NAPT scenario it can't possibly
know which (of possibly many) "inside" hosts to un-translate and forward
to, so it _must_ drop the packet(s) on the floor. In a basic/traditional
NAT scenario, you have to wonder how the router would handle incoming
packets, since it DOES have a 1:1 IP translation and theoretically knows
exactly where to forward them on the inside. This is probably covered by
section 4.2 of RFC2663 ("Bi-directional NAT"), but since the various
vendors usually just say "yeah, we do NAT", it probably doesn't help
John with his quest.

NAT sucks :-) Three cheers for application proxies!

-----Original Message-----
From: Robert Edwards [mailto:Robert.Edwards at] 
Sent: Wednesday, 2 April 2003 9:20 AM
To: Dale Shaw; John Griffiths
Cc: linux at

On Tue, 1 Apr 2003 11:27 am, Dale Shaw wrote:
> I don't know about the Netgear RT314 but the Linksys model doesn't
> appear to include fully fledged firewalling capabilities. It says it
> provides firewalling via NAT, but NAT in itself only provides security
> by obscurity. It's not clear whether or not it would protect in any
> an 'inside' host with an active translation from attacks on the
> Internet.

I'm not sure how the Netgear RT314 implements NAT (and I'm not sure what
mean by PAT etc.) but in normal NAT/IP-Masquerading, the router performs
reverse translation (for incoming packets) based on the entire 4-tuple
of the 
connection (if it is TCP etc.) or similar for UDP. That is, it will take
the account the IP address of the external (publicly accessible) host in

performing the reverse translation.

This mean that your inside machine is only susceptible on the one port
that is 
open (or more than one, if you have multiple connections running) from
one external IP address you connected to.

I agree that there are lots of firewall functionality that this doesn't 
include, but NAT itself will stop all manner of port-scanning style


Bob Edwards.

More information about the linux mailing list