I’m getting myself all confused regarding firewalls, NAT and port forwarding. This is annoying, as I thought I understood it all. I’m going to write it all out as hopefully that’ll help clarify things for me. As I currently understand it:
NAT enables computers with non-public IP addresses to share a limited range of public IP addresses. Here’s the process:
- A LAN-side computer wants to communicate with the WAN, so sends a packet to the router
- The NAT in the router looks at this packet, determines that it is to the WAN, so changes the sender’s (private) IP address to the router’s (public) IP address
- The NAT also changes the ‘Generic ID’ TCP/IP header to a unique 16-but number and assigns this to a private IP address on the local network.
- The router than sends the packet off into the wild blue yonder (literally, in my case)
- When the router receives a reply, it checks the ‘Generic ID’ header (which the other computer keeps intact), finds the 16-bit number, matches this with the private IP address and sends the packet to the appropriate port on the local computer.
All well and good. Port forwarding comes into play when a LAN-side computer wants to act as a server i.e. it receives unsolicited packets. Now normally the router would receive these packets, find no matching ‘Generic ID’ and ditch them. But if you set up port forwarding you can say ‘all packets to port 33445 should be forwarded to computer with IP address x.x.x.x’.
To deal with the above problem there’s something called ‘UPnP NAT’, which understands servers. While various routers and windows xp support this, I don’t really know what layer of the OSI network model it’s on. Do applications have to support it directly? Anyway, that’s not too important…hopefully.
A firewall is basically anything that filters packets in some way. A NAT is a firewall.
Currently in our office we have a server which serves out the internet connection via ICS. This works very well, but the firewall configuration on the server is getting increasingly complicated, especially with Norton’s total paranoia, and I’d like to move the internet connection sharing to a hardware router. I’m looking at the Linksys WRT54GS which includes a ‘powerful SPI firewall’ (unlike the WRT54G – but they’re the same price anyway). This will filter packets based on various options you can control, including packet content, ports etc.
Let’s say I want to run a web server on my computer. Do you think that I have to ‘open’ port 80 through the firewall, then configure port forwarding to send all the packets to my computer? I’d guess not…I would imagine that the firewall is all linked into port forwarding and the NAT system, so setting up the port forwarding would sort it all out automatically. What about if l33t haX0r 3d tries to communicate with the router on port 21…will the port appear ‘closed’ or not to be there at all? Not that it matters all that much – afaik unless problems are found in the TCP/IP stack closed ports are pretty much a solid wall. So I don’t care all that much about that.
Ok, next issue. City of Heroes needs, amongst others, ports 6994 and 2104 ‘open’. Is there a way to simply open these without having them forwarded anywhere? Just so that they don’t get rejected automatically? Thinking about it, this shouldn’t be an issue. Unlike the current Norton firewall, ‘unused’ ports aren’t just blocked no matter what, and any packets received on these ports should have been requested by me, so the NAT should handle them. Probably.
What worried me was that the WRT54G ‘only’ has space for 10 port forwarding entries (though you can set a range etc. in each). 10 doesn’t seem like very many. However, I’m not running any servers here all the time, and any game servers would only be temporary, so I think that should be enough. For a while I was confused and thought I’d have to set port forwarding for all games, but there’s no reason to do like just like there’s no need to set up port forwarding for email / web access.
Ok, I think I’ve got it all figured out now. Sorry for the rambling post! I find that in networking you can’t afford to forget anything, as all the technologies are so interlinked you need a wide range of knowledge to understand how it all works