[SLUG] NAT, Packet inspection and Routing -- WAS: WRT54G

From: Bryan J. Smith (b.j.smith@ieee.org)
Date: Thu Nov 04 2004 - 05:51:43 EST


On Wed, 2004-11-03 at 09:36, Jeff wrote:
> Is this the part where everyone else jumps in with the " and NAT isn't a
> firewall either" bit now? ;)

Even these $50 boxes do _both_ 1-to-many NAT _and_ some basic, "deny all
incoming," "stateful" packet inspection (firewall) rules. Since most
are Linux 2.4-based with IPTables built-in, they are quite capable of
doing enough.

Calling NAT "firewalling" is more of a Microsoft-only thing now. I.e.,
NT5.x (2000, XP, 2003) only has simple, "stateless" packet inspection
(firewalling) and as absolutely _no_ capability to do many-to-1 NAT
(destination NAT).

The lack of DNAT is why Windows solutions are losing to Linux solutions
in a variety of implementations. Ask Tony Awtrey of I.D.E.A.L. in
Orlando about their contract with the IEEE for Internet A/V streaming.
I especially love his cheap notebook outclassing a 4-way, Windows Server
2003 (beta at the time) setup in the middle of an IEEE conference. It
was about power, but the inherit limitations of the NT5.x kernel.

Long story short, it has to do with the fact that NT5.x is not capable
of true NAT/PAT, more like older IPChains in that could only do
masquerading. IPTables (which was also available for even kernel 2.2,
just not in the stock version, over 6 years ago), has full NAT/PAT
capabilities. Linux 2.4 also has the new IPRoute2 subsystem, which
offers kernel-based more "true" router facilities (although some dynamic
routing capabilities are still left to user-space for good reasons).

-- 
Bryan J. Smith                                  b.j.smith@ieee.org 
------------------------------------------------------------------ 
"Communities don't have rights. Only individuals in the community
 have rights. ... That idea of community rights is firmly rooted
 in the 'Communist Manifesto.'" -- Michael Badnarik

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:27:17 EDT