Once upon a time, Joe Greco <jgreco@ns.sol.net> said:
Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen.
I don't think hardware vs. software makes a "real" firewall. A NAT gateway has to have all the basic functionality of a stateful firewall, plus packet mangling. Typical home NAT gateways don't have all the configurability of an SSG or such, but the same basic functionality is there.
You can blow away the firmware of your NAT gateway and load something like DD-WRT. This gives you a hardware firewall (an external hardware device that acts as a deliberate firewall; i.e. you can firewall 1.2.3.4 from 5.6.7.8). It is not filtering packets in silicon, which is an alternate definition for "hardware firewall" that many in this group could use, but in common usage, it is the distinctness from the protected host(s) and the ability to implement typical firewalling rules and methods, with or _without_ NAT, that makes it a "hardware firewall." Your existing NAT gateway firmware may well be based on Linux and may have portions implemented by a Linux firewalling subsystem, but in most cases, you cannot really drill down to any significant level of detail, and quite frequently the main "anti-forwarding" protection offered is simply the difficulty in surmounting the artificial barrier created by the NAT addressing discontinuity. While this might technically count as "the same basic functionality," functionality that cannot be accessed or used might as well not be there for the purposes of this discussion. So I'll pass on considering your average NAT gateway as a "hardware firewall." ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.