Re: Port scans through NAT router?

> In the configuration, there's a port mapping function/menu, where I can
> specify when a port or range of ports (e.g., 2000-3000) should be mapped
> to one of my "inside" IP addresses, which are on the 192.168.0 subnet.

Is the host in question configured as a DMZ host?

> BTW, as I think that I mentioned, I was also under the (possibly wrong)
> impression that the router would not route packets to any inside IP
> address unless a mapping was setup. That was the main reason for my
> post.

That is correct. Port Address Translation utilizes socket-based
mappings. Traffic destined for other ports is dropped, even if it is
from a currently mapped IP.

> If I am visiting a website, say http://www.foo.com, is there some way
> for port scans to ride back into my NAT'ed network "on top of" the
> outgoing HTTP connection?

Only if the source and destination sockets match an active NAT mapping.
Received on Tue Feb 7 20:58:07 2006