[TriLUG] OT: Router vs Firewall,
Was: OT: strange happenings - self booting server?
brian at strutmasters.com
Fri Apr 14 10:48:55 EDT 2006
Okay, since there's still a lot I have to learn, I'll ask the question:
What do you gain from having a firewall behind a NAT router with no port
forwards? Speaking only in terms of inbound protection, of course.
Obviously a firewall can filter traffic in both directions. Can one not
depend on a forwardless NAT router to simply drop all incoming
connection attempts? Are there packets, or methods of connecting, that
can somehow sneak through such a NAT setup and reach machines on the inside?
In all the networks I administer, firewall + router is the standard
operating procedure, so I'm just interested in more of the reasons why
it's a good idea (that is, I don't need any convincing to start doing it).
As always, both lengthy explanations and links to reading material are
appreciated equally. :-)
P.S. A linux box with iptables configured on the "reject everything but
_____" principle counts as "good," right? :-)
Cristobal Palmer wrote:
> So the backstory is that we (Brian + Cerient) ate lunch, and I told
> Brian about this... *ahem* ...friend of mine who insisted to me that a
> router is always a firewall. When I say insisted, I mean he followed
> me after I'd gotten up and left the room. I mean he emailed me the
> next morning to follow up on his insistence.
> I... uhh... have some weird friends. Seriously though, get a good
> firewall everybody. The internets are dangerous.
> Vice-chair-ily yours,
More information about the TriLUG