This strikes me as somewhat of a bonehead question, but it's something that's bothered me for awhile:
Let's say I have DSL at home. Let's also say that I have a single public IP address, but my internal LAN uses private addressing. The DSL router performs some sort of NAT or PAT (probably PAT here). All my internal machines can reach the Internet through the DSL router, but when they come out, the source address is changed to the public address. The ports are managed by the router, so that it knows who's talking to whom, and can thus properly direct returning traffic. Since someone from the outside accessing the router itself would be a bad idea, say I'm blocking that. Let's say it's managed by http, and I have a filter rule that prohibits anything but my private network from reaching port 80. Now, for all intents and purposes, how vulnerable is my internal network? You can't start a connection with an internal system because you can't reach its IP address. Even if you did manage to hijack a session, of how much value would it really be? So it seems to me that if you use NAT/PAT, you don't need a real firewall unless you're actually permitting some kind of traffic to connect to something from the outside. Is that right? -- Dee __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1