On Jan 13, 2011, at 1:21 PM, Lamar Owen wrote: > On Wednesday, January 12, 2011 03:50:28 pm Owen DeLong wrote: >> That's simply not true. Every end user running NAT is running a stateful >> firewall with a default inbound deny. > > This is demonstrably not correct. Even in the case of dynamic overloaded > NAT, at least on Cisco, there is no firewalling going on (if firewalling is > defined as blocking something). It looks like there is, but that's an > illusion, a sleight-of-hand, not reality. In the NAT order of operations in > IOS at least you'll find NAT occurs before the routing decision does. Thus, > if you change the address in the packet header, you change which routing > table entry will be used to route that packet. It's the rewriting of the > address that then causes the routing to send the packet in a different > direction; in practice most of the time there is either no route or a null > route to the inside global address or address block, but it doesn't have to > be that way. > The rewriting is done by matching the packet against a state table. No match, no rewrite, no forward.
If you have a state table and packets have to match the state table to get forwarded, that is, by definition, a stateful firewall. > You could easily set up a NAT where the inside local addresses are on, say, > GigabitEthernet0/0 and the inside global address(es) are on Null0.... or > GigabitEthernet0/1 (where the honeynet or tarpit resides, perhaps?), or > whatnot. Packets that don't match the NAT can just be routed elsewhere, not > just to a null route, easily enough. The default destination for most cases > happens to be a null route; this is certainly a good imitation of a deny. The difference between drop, deny, and forward to null0 is a subtlety that doesn't have much to do with the outcome of what happens to the packet. In all cases, the packet is discarded. The bottom line is that a default forward to null0 is a default deny. Yes, it can be overridden like most defaults. Yes, the mechanism for overriding a default deny in an ACL and overriding a default forward to null0 in a state table may be in different parts of the configuration or require different commands, but, it doesn't change the fact that you have a stateful firewall of one form or another. Owen
