Leythos <void@nowhere.lan> writes:

>In article <gGOQi.14414$G25.13546@edtnps89>, unruh-spam@physics.ubc.ca
>says...
>> "Sebastian G." <seppi@seppig.de> writes:
>>
>> > > It is certainly true that a firewall can be a slightly less blunt
>>
>> >> instrument, and can reject or accept more subtly that a NAT router can, but
>> >> IF that router is set up not to do any port forwarding, then it is also a
>> >> firewall set up to reject all incoming connections.
>>
>> >There are two major differences:
>>
>> >1. NAT is not designed to work as a security solution.
>> >2. Depending on the implementation, it might forward the connection anyway
>> >without any explicit rule.
>>
>> So might an incompetent firewall. A competently implimented NAT does work
>> as a firewall IF set to not forward any unsolicited packetc.
>> Of course you have to decide if your particular NAT is a competent
>> implimentation. HOwever if you punch holes ( have it forward ports) all
>> bets are off.

>No, you don't have to decide, there are quality groups, CERT for one,
>that can test and tell us if they pass the proper test to be qualified
>as a firewall. NAT is not a firewall function, it is often included in
>firewalls, but it is not a firewall function.


The question was not whether NAT was a firewall function but whether NAT
with no port holes punched through was effectively a firewall allowing no
unsolicited incoming traffic.

Is there a way in which a NAT router, with no holes punched through, is
more insecure than a firewall which rejects all unsolicited incoming
traffic? If you claim it is more insecure, please tell us why.