John John - MVP wrote:
> ToddAndMargo wrote:
>> John John - MVP wrote:
>>> ToddAndMargo wrote:
>>>> Hi All,
>>>>
>>>> I would like to test my firewall, but have a NAT box
>>>> between me and the various firewall tests I know
>>>> of. Anyone know of a firewall test that shoots
>>>> through NAT?
>>>
>>> NAT would be pretty useless if anything could just "shoot" through
>>> it. Open (forward) a port in the box or temporarily disable/bypass
>>> the NAT box for your tests.
>>>
>>> John
>>
>> Hi John,
>>
>> The bad guys know all about NAT. And it is indeed useless
>> as a firewall.
>>
>> The bad guys start with 192.168.0.0/24 and work their way
>> up. Check your firewall logs, you will see SYN packet probes
>> on it all the time: about 1/100 if you did not use NAT, but
>> still enough to do damage. NAT is *not* a firewall -- it is
>> a common misconception.
>>
>> I was hoping to way to test it without redoing anything
>> on my network.
>
> I'm by no means any kind of expert on this but my understanding about
> NAT is that it will only allow traffic in if the request for the packets
> originated from within. You say that you have a "NAT box" I assume that
> to be a router of sorts, check the documentation for your router.
>
> John

Hi John,

It is a router.

The trouble with NAT is that the bad guys just slap their
guess as to what your internal off Internet address on
to their probe. They find you very quickly if your internal
off Internet address is 192.168.0.xxx. (Recommendation:
pick an internal address other than 192.168.0.0/24 or
192.168.1.0/24.)

NAT does not stop incoming requests called SYN (TCP) or
state "New" (TCP or UDP). It only stops traffic not
properly addressed to your internal network. Enough
guessing and the bad guys will find you.

NAT is *NOT* a firewall. You take you rear end in your hands
if you rely on NAT to protect you from port probes.

-T