Comment by bandrami
4 days ago
It really doesn't, it's just that in 99% of SO/HO setups it's the firewall that's also doing the NAT. NAT by itself just mangles packets.
4 days ago
It really doesn't, it's just that in 99% of SO/HO setups it's the firewall that's also doing the NAT. NAT by itself just mangles packets.
And again, yes, by the original definition of NAT in RFC1631, you are technically correct, which as we all know is the best kind of correctness and will move things forward. However, here in the real world, practically all NAT implementations are stateful and ignore (effectively: drop) incoming packets for which no corresponding connection can be found, meaning they do "NAT filtering" as "defined" (it's not really defined there) by RFC4787. When we say "this box here is doing NAT" everyone expects this behavior. To call this "NAT and firewall" is pointless semantics, and even the people writing RFCs agree here, which is quite something. You will see that RFC4787 says "This section describes various filtering behaviors observed in NATs", and they also say that NATs provide "firewall behaviors" without calling it "a firewall".