Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?

  • catloaf@lemm.eeEnglish
    0·
    4 months ago

    Modern firewalls are more than just network rules, they also inspect the traffic itself. For example, you might allow traffic to your web server, but you still don’t want people uploading zip bombs or attempting SQL injections. NAT won’t protect against those.

    (I’m sure someone will have better examples; those are just what came to mind.)

    • cron@feddit.deEnglish
      0·
      4 months ago

      This is true and typically called “Next Generation Firewall” or “Intrusion Prevention System”.

      However, these have three disadvantages:

      • They rely on signatures and many vendors only provide these with an active, costly subscription
      • They add complexity and possible error sources and false positives.
      • They require processing power and can easily reduce throughput by 90%.

      These systems are quite common in enterprise scenarios, but AFAIK the exception in home labs and selfhosting environments.