|
| ||||
 |
|
Home | Reviews | Tools | Forums | FAQs | Find Service | ISP News | Maps | About |
|
how-to block ads |
Summary NAPT can be considered a one-way valve for conversations, permitting only those which are initiated by the computers behind it. The only inbound traffic which can traverse NAPT is that which is part of an internally initiated conversation ("solicited traffic"). This is similar to the effect of a stateful firewall. The most obvious implication of using NAPT is that connections from the Internet to the private network are impossible!* In fact, unlike with simple packet filters, the passing of any unsolicited traffic from an external host to the private network is prevented. Unsolicited packets are those which are not part of a conversation initiated by a private host. Obviously, sending packets to private addresses across the Internet will fail because Internet routers do not have private routes in their tables, and they will, therefore, discard the packets. Sending packets to the global address of the NAT router cannot succeed either -- the packets would not be part of any conversation recorded in the NAT table, the addresses/ports could not be translated and the packet would be discarded. NAT can be considered a one-way valve for conversations. This is a very similar effect to that of a stateful firewall configured to "block everything," in that packets which are not part of internally initiated conversations are ignored. Indeed, a stateful firewall has the equivalent of a NAT table, called a "state table." This "feature" of NAT means that any traffic from an external host which makes it to a private host is, by definition, "return traffic," i.e. part of a conversation initiated by that host. You may question how ICMP error messages (TTL exceeded, destination unreachable, etc.) make it to private hosts -- after all, they aren't part of an outbound conversation and would appear to be unsolicited. The answer is that ICMP error messages include the header of the packet that caused their generation as data. When the device receives an ICMP error message, it looks at the packet header in the data portion of the message to determine which conversation (if any) the message is related to and translates and forwards (or drops) it accordingly. *Well.. not quite, see here.
 got feedback?by Nick8 | |||||
| Saturday, 11-Feb 11:52:02 | Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo over 12.5 years online! © 1999-2012 dslreports.com. |
