Turning NAT off, what else does it effect?

[Jamoe]

Hi All,

Ive had a thread going on Hi-V forums tring to get a web server accessible over the net. I have turned NAT off and all my machines have there own IPs for internet access.

Does this mean that my router firewall is no longer in use? or is it stillf filtering?

i havent got time at the moment to make sense so ill probably be back later to try again

IP for web server http://84.45.6.196/ (my windows machine is .194)

EDIT: ive turned NAT back on as port scans showed the machine was a tad open :S.

[tugs]

It doesn't necessarily mean that your firewall isn't doing anything, but once you remove nat, you lose the (excuse me while I laugh my pants off) "NAT Firewall".

What that means is that on the outside interface, ports only pass traffic to an internal machine if either (a) an internal machine started an outbound conversation that ended up sourced from that port after outbound NAT, or (B) you added a static NAT entry to redirect incoming traffic on that port to an internal machine.

Your firewall, unless it's a piece of dog poo, should be protecting you against typical attacks. However, once you turn NAT off,many cheaper DSL-type routers turn out to have a totally shite firewall.

Are you open? You shouldn't be if the firewall is up to scratch. But if it's only providing defence through NAT, then yes you are.

Of course, you could just create a static NAT for your web traffic on port 80...

[Jamoe]

ok cheers tugs.

I have turned nat back on, while i was at work i tested

http://84.45.6.196/ - doesn nothing

http://84.45.5.70/ - appears to point to my Apache Web server.

for some reason when i use 84.45.5.70 from inside my network i get the routers interface and not the apache test page. Ill have to try again when i get home

It appears to work now.

cheers Tugs

[Liberator]

Ooer, if thats the case and you haven't set up your own NAT it may be because your router is UPnP enabled.

This basically allows your PC to dynamicaly open up ports and NAT's through the router, although this should be visible as a UPnP device on your network settings.

Not sure if Fedora has UPnP capabilities (just connected to your apache server), I run fedora on one of my PC's and sometimes fire up webservers and a Source server,  but I have to set up a NAT to allow the tunneling and have UPnP turned off.

If a UPnP device is not there then ignore my ramblings.

If it is, then you should read up on UPnP, it can be very dangerous and most of the security sites say to turn it off and stick with manual configs.

The best site to visit is GRC although he specialises in Windoze.

Also judging by your IP range you appear to be allocating real IP's on you network instead of private ones but from your testing you have proved that the router is handling the calls so this doesn't seem to have any bearing on it.

[Blunt]

Blimey!



I'm sort of glad that I didn't understand a word of this thread :blink:




 :huh:

[Jamoe]

UPnP was turned on, although this wasnt me, must have been default. Turned off now anyhow.

I think the firewall is setup to take inbound request to the http://84.45.5.70/ IP on port 80 and bung them to the web server, it doesn't do that with request from inside the network, which the router must see as outbound or not maybe not even that. At leasts thats what I am seeing.

I can use the internal network IP to see it from my PC, as long as it can been seen from outside the network im happy.

@ Blunt

Dont worry matey, I dont understand any of this at the level these boys do, I just work on trial and error untill it does what I want but i guess thats where alot of ppl start to get familiar with the subject befor you can really get to understand it (that might just be me).