NAT and firewalling are two separate concepts.
NAT is the concept that is based on the substitution of the private
internal address of a host with the public external address of the NAT
device. Think about call forwarding on a telephone. If I have all
calls to my office number forwarded to my cell phone, when someone
calls my office number, they reach me on my cell. The caller does not
necessary know the difference (maybe by call clarity, but that is a
different story) On a NAT device, all outbound traffic has the WAN IP
of the NAT device. The source IP of the client machine is stripped and
the WAN IP is substituted. This works in both directions. Inbound
traffic (usually to a specified port - 25 for SMTP) to the WAN IP is
redirected to a specified LAN IP of desired host.
Firewalling is the concept of allowing or disallowing (pass or block)
certain traffic in or out of an network. Think about call blocking on
a telephone. If I arrange with the phone company to block calls from a
certain number or only allow calls from certain numbers. Those calls
will not reach me, or only those can reach me. (I don't know if the
phone company would do this, it would be a good idea...) Email
blocking would also be a good example. Even with the substitution
above, the firewall has to be told to allow traffic on a specified
port to a specified IP.
Many of the consumer "Broadband Routers" use NAT and firewalling as
one and the same, they are not. NATing does provide some firewall like
protection, assuming that the NAT device rejects (or ignores) inbound
connections. The commercial firewalls I have worked with (primarily
SonicWall) separate the two. I like the fact that m0n0wall allows you
to "automatically" create the firewall rule to allow the traffic when
you specify a inbound NAT.
James W. McKeand
From: Gwyn Evans [mailto:gwyn dot evans at gmail dot com]
Sent: Tuesday, November 16, 2004 10:43 AM
To: James W. McKeand
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Inbount NAT won't answer on WAN i/f
On Tue, 16 Nov 2004 09:38:17 -0500, James W. McKeand
<james at mckeand dot biz> wrote:
> I just tried to test what would happen if I created a Inbound NAT
> firewall rules for SMTP (I do not host any of my mail or web on my
> LAN, but I do have servers...) I created an Inbound NAT on my WAN
> interface IP with external port and internal port 25 and my SBS as
> NAT IP. Allowed creation of the Firewall Rule (Pass -> Interface:
> -> Source IP: any -> Source Port: any -> Destination IP: SBS ->
> Destination Port: 25). I tested this by using remote desktop
> connection to connect to a server at one of my client's site, then
> used telnet from there to connect back to my WAN IP on port 25. I
> connected to my SBS's Exchange as expected...
The bit that throws me is why the firewall rule needs to be there,
as my understanding of nat suggests that it's client<->firewall and
firewall<->server, but the rule's opening client<->server...
Anyone point out what I'm missing?
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch