Comment by digitalsushi
12 years ago
I like to explain it to friends like this-
A Firewall is exactly the same thing as a bouncer at a club. The firewall-bouncer decides if you, the packet, get into the club. He might let you in, he might ignore you, he might tell you no.
NAT is a dinner party at a house on a block. There's no bouncer. If you know the right house, you walk right in the front door. But there sure are a lot of houses! So it seems unlikely that someone will crash your party, but don't you trust the bouncer more, now that you're thinking about it?
I'm not sure I follow your analogy. With a NAT configured to only forward certain ports to certain machines, the "bouncer" exists as much as in the firewall case. The question is not whether a NAT can be an effective firewall; it's that it brings some other, rather unsavory features along with it.