NAT as Firewall

[theCheetah]

I installed a router having NAT as a firewall, connecting to internet through cable modem. I am planning to open up port 21 of the router and run a personal ftp server. How safe am I? Do I need to run any special firewall software on my PCs?

 

[Carceri]

You are mixing things up. NAT has nothing to do with firewalling. NAT is a technology used to have a local IP address on your private network and the router has one or more global IP adresses assigned to it. It then translates between those two. Also with a small modification you can use several computer behind just one global IP address.

A packet filtering firewall blocks data to certain ports.

What I'm guessing your setup is (at least the way I would set it up if I had to) would be to run NAT on your router and assign a private IP address to your PC (that is probably already the case). The router should not forward any packets to your PC unless they are a response from a server your PC contacted (the router will keep track of this).

Now, to use FTP you need the router to forward port 21 to your machine, that's all.

How safe are you: That depends on the FTP server. If you use a well tested server and keep track of security problems and apply patches you should be pretty safe, since the FTP server will be the only access point into your PC. I would still recommend installing some kind of application level firewall on your PC (such as Tiny Personal Firewall) to keep track of outgoing connections, since the router will just allow all traffic to go out. You should only allow the programs that you use to access the network.

 

[pm]

<< You are mixing things up. NAT has nothing to do with firewalling. >>

Inexpensive router manufactures (Linksys, Dlink, etc.) have been advertising that NAT acts like a firewall which has led to confusion about what firewalls are. OTOH, NAT can be considered a form of firewall. To me a firewall is something that secures one network from access by another and NAT does this.

 

[Carceri]

<< To me a firewall is something that secures one network from access by another and NAT does this. >>


Well, NAT can't do this alone, it needs to run on some device. That device could be (and normally is) a firewall and NAT is one of the tools the firewall can use to do it's job (just as it can filter packets, establish VPN connections, etc.)

But what people choose to call a firewall depends probably on what they are used to. I would not call my ADSL router a firewall, but merely a router with very limited packet filtering capabilities, but the SonicWALL we use at work is a real firewall IMHO

 

[CTho9305]

I use a p200mmx, win98se + ics. there is a 3rd party tool you can use to forward ports so you can run servers on the backend... search for "ics configuration" on google.

 

[Carceri]

This is done through the Windows registry, although there are programs that will make this task easier.
Have a look at http://www.practicallynetworked.com/sharing/ics/icsconfiguration.htm

 

[QTPie]

Yes, you can implement NAT as firewall when you setup your private network behind the router. It's pretty safe.

Let's say your public IP is 64.36.153.48. Using your router with NAT enable, you can assign your PCs with IP 192.168.100.2 and 192.168.100.xxx (subnet mask= 255.255.255.0 and gateway= 64.36.153.48) Then all your PCs are not visible from the outside. Therefore, ppl cannot access to your PCs.
But if you want to setup your FTP server, you can only access to it from the outside of your network when you assign it your public IP address (from ISP, 64.36.153.48 in this case). I use Serv-U FTP server. It's free for 45 days. and you can set all access rights to your files (you might want to set it as read-only)