Quote:
Originally posted by Pragma
NAT really isn't a firewall - it doesn't help the fact that you've got the machine unprotected - it just hides it behind another IP.
|
That's not entirely true. There IS no route to internal machines from outside, except for explicitly forwarded ports. NAT allows internal machines to connect out transparently by proxy, but there's no way for Code Red or anything else to make its way to a machine on the internal network.
The reason you'd want to do it with a little router rather than a whole machine running a firewall is because there's nothing to hack in a little router. If I can crack a firewall box, I'm in the internal network. I can't crack a little home router because there's not really any OS there to crack. I mean, there's an embedded OS there, but I couldn't pull a shell on it. What answers on the IP that my cable service assigns is a router that doesn't respond on any port (except for a couple I've explicitly forwarded).
None of my internal machines have firewalls of any kind, and I've never been touched by Code Red, Messenger pop-ups, or anything else like that.