Hello!
When using NAT on a router, do I really need the firewall rules to forward only the established and related connections? Is NAT preventing the outside world from accessing my internal devices (basically doing the same as firewall)?
Regards
As far as I understand you do not need a Firewall (filter) rule when setting up NAT.
Rule will be open for all on outside to use
But if you like to allow some or block some other from using your NAT, you need filter rules.
Default ROS firewall includes the following two rules:
...
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
...
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
The first one takes care of all packets (in both directions) which belong to connections that are either already established (forward and return traffic of the connection), that contain data related to established connections (either some ICMP packets which carry information about connection, such as path MTU discovery, or associated connections, such as FTP data) … or untracked connections (if those are set up elsewhere).
The second one drops all packets which are not initial packets of new connections coming in from WAN. The rule is slightly cryptic, it could be replaced by two rules (not exactly the same in all conditions, but close enough):
filter add chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN comment="accept DSTNATed from WAN"
filter add chain=forward action=drop
Now, the upper rule says: accept all packets which initiate new connection (connection-state=new), are coming in via one of WAN interfaces and have corresponding DST-NAT rule. The rest of packets belonging to such connection will be dealt by the first rule in this post.
The details about allowed connections (e.g. remote IP address, …) are defined in the DST-NAT rule itself. Which means that you don’t have to define same stuff in two places and you don’t have separate firewall filter rule for each DST-NAT rule, a generic one does all the magic.
Thank you for the explanation. The second rule is new for me. I’m used to the rule which allows the packet forward from LAN to WAN.
The point is, having NAT, do I need those two rules? What can happen if I disable them? With NAT enabled nothing can come from outside because I’m using internal IP adresses.
Regards.
Short answer: no (although you can say that a little bit yes)
Long answer: NAT does not prevent standard routing. So if packet with destination address inside your LAN happens to arrive on your WAN interface, router will forward it inside. And if its source is reachable using default route (in most cases it is, unless more specific route exists), reponses will be correctly routed back. So NAT itself does not prevent access to your LAN.
In real world, random internet user shouldn’t be able to send packet with destination 192.168.88.100 (or whatever you have in LAN) to your router. There’s thing called source routing which makes this possible, but in most cases it should be blocked by ISPs (that’s where the “yes” in short answer comes from). But for someone in your ISP’s network (employees, evil hackers who infiltrated it, in some cases even other customers) you network will be wide open.
In short, you do want properly configured firewall.
Thank you, this is exactly what I wanted to know.