First of all, for the purists : I apologize for this simplified explanation of what firewalls are. I guess we could start a very long thread about firewalls and NATs, but the idea is to give a (somewhat) short answer (maybe over-simplified) to some short questions asked by Simon Woodside (see bottom). ------------- There is not ONE firewall. A firewall is not a product, it's more like a concept. The idea of a firewall is to build a protecting wall between an external (public) network and an internal (private) network, by granting or denying incoming/outgoing packets based on specified/configured rules/policies. In the real world, there are different kinds of firewalls. Compared to the OSI or TCP/IP layers, firewalls can work at different layers. There are mainly : 1.packet filters (analyze the IP packet and identify the IP addresses and port numbers, then apply a set of rules), 2.circuit level gateways (work mainly at session layer, by identifying flows of data and established connections), 3.application level gateways or proxies (application specific : http, ftp, telnet,... with possible extended features, like caching possibilities, logging of user activity,...), and 4.stateful inspection firewalls (more recent, combinations of types 1. 2. and 3., more performant than 1. and 2., less complex than 3.). A simple router, using access lists based on the IP addresses, analyzing each packet one by one, is a basic firewall of type 1. A more advanced device, able to identify "conversations", "sessions", is a bit more advanced firewall of type 2. A complex software, configured to analyze the addresses, the port numbers, the protocols in use, possibly the contents of the applications data, is a very complex firewall of type 3. A basic router (not a firewall) will "transparently" interconnect different networks, maintain routing tables, and advertise those tables to its neighbors. A NAT will "mask" the internal addresses, only maintain its own private translation table, and not transmit it to any other device. A Network Address Translator will usually translate "n" public, official IP addresses into "n" private, internal IP addresses and keep the current port numbers unchanged. A Network Address and Port Translator will usually translate ONE public, official IP address into SEVERAL private, internal IP addresses by translating the external port numbers to correspond to the different internal combinations of <network address + port> (external packets will only transport ONE IP address - the public, official one). Pure NATs will only translate network addresses. PATs and NAPTs will translate port numbers, too. In no case will any of them translate the protocols - that would prevent clients and servers from understanding each other (a web client with a telnet server, etc.). NATs will mask the internal addresses from outside view, but won't use policies, control the traffic, perform authentication, or prevent spoofing : NATs ARE NOT FIREWALLS!!! On the other hand, circuit level gateways and application level gateways transparently perform address translation!!! The addresses of the internal, private network are masked from outside view! Packet filters and stateful inspection firewalls don't translate IP addresses and port numbers. So, in short : 1/ a NAT is not equal to a firewall, it's not a firewall! Some firewalls DO perform Network Address Translation, but NATs DO NOT perform firewalling! 2/ the main, primary purpose of a NAT is to use a limited set of public (external) IP addresses and make them correspond to a wider range of private (internal) IP addresses, in order to make savings, either in terms of IPv4 addresses, or because it's simply cheaper than buying several public IPv4 addresses. Now, the fact that masking the internal addresses to the external world - so that internal hosts can initiate traffic to the outside, but no external host can initiate traffic to the inside - brings some basic security, is an interesting corollary, but not the primary objective of a NAT. Hope this helps. And sorry again for the purists. ;) E.T. ICT Consultant and Trainer. Member of IEEE, IPv6 Task Force, ISOC, PIR. =>-----Original Message----- =>From: owner-ietf@ietf.org [mailto:owner-ietf@ietf.org] On =>Behalf Of S Woodside => (...) => =>This sounds like you are equating a NAT box with a firewall, which =>seems to be common. => =>I would like to know: =>- Is a NAT box a protocol enforcement point? =>- is it an EFFECTIVE protocol enforcement point? =>- is a NAT a firewall? (many people seem to think it is ...) =>- is a firewall a protocol enforcement point? (yes) =>- does a protocol enforcement point, have to include a NAT? =>- does an EFFECTIVE one have to include a NAT? =>- is it even EASIER to enforce protocol issues with a NAT as =>opposed to =>other means? => =>simon (...)