Home / server / Questions / 129489
Accepted
Jake Wilson
Asked: 2010-04-06 11:17:36 +0800 CST

Firewalls: What is the difference between Policy, NAT and Routes?

  • 772

I'm learning fwbuilder and firewalls in general. I don't understand the differences between Policy, NAT and Routes. They all seem like they are just ways to tell the data where to go depending on what it is and where its coming from.

What is the real difference? Is a properly configured firewall taking advantage of all three (Policy, NAT and Routes) or are they just three different ways to accomplish the same thing and you only need one of them?

firewall iptables fwbuilder

2 Answers

  1. Best Answer

    Not familiar with fwbuilder, but they all have more specific meanings in networking, here is how I would define them off the top of my head for general networking:

    NAT and PAT:
    Changes the IP destination or source and/or the ports in TCP/UDP. The most common uses are so multiple people can share a public IP, or to map public ips to private ips for services.

    Policy:
    What do with packets that meet certain requirements based on all sort of properties at various network levels. For example, drop them, or send an ICMP message to the requester saying it is closed. Here the primary use is for security to protect your network.

    IP Routes:
    Decide which interface to send traffic out depending on the destination IP (or possibly more advanced things when you talk about policy based routing). The use here is that this how the internet and most major computer networks work and the higher levels. Generally, NAT happens before routing, so the packet is altered by NAT and then routed according to the result.

    General vs. Specific:
    Your generalization of "ways to tell the data where to go depending on what it is and where it is coming from" is roughly what "networking" is. To take it to a higher level, to me it is almost like saying "Why are there all these computer words when all they do is move and manipulate data" :-) These terms are all specific aspects of networking which can be a full time vocation.

    • 2

  2. Policy, NAT, and Routing are fwbuilder terms.

    Policy is equivalent to the iptables filter table, composed of the INPUT, FORWARD, and OUTPUT chains. This simply decides which packets are allowed to traverse the firewall.

    NAT is equivalent to the iptables nat table, composed of the PREROUTING, POSTROUTING, and OUTPUT chains. This does collation (DNAT) and scattering (SNAT) of the packet streams.

    Routing has no iptables equivalent. It is used for the routing tables of some routers (mostly Cisco).

    fwbuilder has no equivalent to the iptables mangle table, which is used to do all sorts of Stupid Packet Tricks that the other two tables may not be capable of or may not be appropriate for.

    • 1