| > So someone attempting to make a new connection to an internal host is effectively firewalled off by the lack of a mapping table. The lack of a mapping table entry just means that your packet doesn't get translated. It doesn't mean that inside hosts are unreachable. > Now most people who say "NAT isn't a firewall" are referring to the case where you have for some reason turned off the default firewall rules on the NAT device Yeah, so: NAT isn't a firewall. The firewall is a firewall. NAT is typically deployed together with a firewall precisely because NAT isn't a firewall. This is an important distinction, because it means that the security you think you're getting from NAT is actually coming from the firewall, meaning you don't need NAT to get that security. Note that I'm not ignoring the issue of reaching non-routeable addresses either. Your ISP can route to your LAN range easily, and there are plenty of people who could trick or force your ISP into cooperating. If you want to be secure, you can't rely on "probably I won't receive any evil connections, it'll be fine", you need to actually block them. If you're in a situation where non-routeability is relevant then you were already insecure. You've also forgotten that NAT doesn't provide you with non-routeable addresses, even if it's typically deployed with them. It works on any address range and it has no impact on the routeability of the range you use. NAT is also not required to use non-routeable addresses (which as mentioned aren't even secure in the first place). So, again, it provides no security. |