Re: Circumventing NAT?

From: Whoever (nobody@devnull.none)
Date: 02/28/03


From: Whoever <nobody@devnull.none>
Date: Fri, 28 Feb 2003 19:29:25 GMT

On Fri, 28 Feb 2003, Orniter wrote:

> I'm wondering if there is a way to connect directly to a node behind a
> router with NAT. If a host had an address of 192.168.0.17 behind a router
> with the address 26.7.82.4, is there some way to connect directly to that
> host? For example, would it be possible to map that computer's shared
> resources to a computer on a remote network? Any suggestions would be
> greatly appreciated, thank ya much! :-)
>

If there is a good firewall in place, then no.

There is a theoretical possiblity: using source routed packets. The basic
issue is how do you get the packets with a destination address of
192.168.0.x to the NAT router in the first place? Well, packets can carry
their own routing information -- in other words, they can tell each hop
how they should be forwarded so that they will end up at the desired
router. This won't work if any of the routers in the path are configured
to reject source-routed packets.

Another way would be to break into the router that is the default gateway
for the NAT box and make that box send packets for you.

However, a sensible firewall configuration should defeat these approaches.

Any sensible firewall configuration should include:

1. Rejection of source routed packets.

2. Rejection of packets that arrive on the external interface that have a
source or destination address that matches the address range used behind
the NAT box.

In addition, stateful firewalls should defeat an attempt to initiate a
connection to a box behind the firewall.

So, if your question really is:
"Does NAT on its own provide security for the network behind the NAT
box?", then the answer is no: you need a firewall as well.



Relevant Pages

  • Re: New modem and iptables...
    ... The router performs firewall and NAT functions ... If you want to persuade me it's a modem, ... it's a router and _it_ has your public Internet address. ... It also does NAT (otherwise you couldn't have a private IP address on ...
    (Fedora)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.firewalls)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (alt.computer.security)
  • Re: IP Addressing
    ... Address of the ISA server? ... firewall and router). ... On the firewall create a static NAT entry as I wrote ...
    (comp.dcom.sys.cisco)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.misc)