Comment by tbrownaw

18 days ago

> And indeed, if a firewall is off NAT can still function (if NAT is separate).

Well technically you can translate your /16 to look like a different /16 from the outside. IE each internal address gets turned into its own separate external address.

But that's not how NAT gets used in practice. How it actually gets used is to but many hidden addresses behind one or a few public addresses. And that multiplexing necessarily implies that incoming connections must be specifically told where to go; ie that there's a firewall.

1 comment

tbrownaw

Reply
Dagger2  17 days ago

No, it doesn't imply that.

Let's say your LAN is using 192.0.2.0/24, and your router has 203.0.113.42 on its WAN interface. With NAT, outbound connections from 192.0.2.x will appear to be coming from 203.0.113.42 -- in your words, the 192.0.2.x addresses on the LAN are hidden behind 203.0.113.42.

Now imagine an inbound connection to 192.0.2.10. Does this connection need to be told where to go? It already clearly states where it needs to go in the packet itself: to 192.0.2.10, and the fact that your outbound connections all appear to be coming from 203.0.113.42 didn't prevent that at all.

So no, NAT doesn't necessarily imply that incoming connections need to be told where to go. The packets themselves can specify that.