On Jan 12, 2011, at 1:05 PM, Scott Helms wrote: > >> >> That's simply not true. Every end user running NAT is running a stateful >> firewall with a default inbound deny. > > Really? I just tested this with 8 different router models from 5 different > manufacturers and in all cases the default behavior was the same. Put a > public IP on a PC behind the router, tell the router how to connect (DHCP in > this case), and leaving everything else as default meant that all traffic to > the public IP was allowed through unless I configured rules. One of the > Netgear models (IIRC) did block ICMP but any TCP or UDP traffic was allowed > through. Now, this certainly isn't an exhaustive test, but it tested the > devices we needed checked. If someone knows of a model that does block > incoming (non-established TCP) traffic by default I'd like to know about it. > That's especially true of combo DSL modem routers. > It may be that the default behavior of the models you tested is to turn off the stateful firewall if there's a public inside address, but, the same code that does the stateful inspection for NAT can do it without NAT if the vendor chooses.
I suspect that the vendors chose to automatically disable stateful inspection to avoid tech support calls from ignorant users with public IPs that didn't understand why their packets weren't getting through. Owen
