[svlug] NAT !~ DHCP, comparing NAT to Masquerading to Firewalls -- Re: Routing Software

J C Lawrence claw at cp.net
Wed May 10 14:22:19 PDT 2000

On Wed, 10 May 2000 13:59:57 -0400 
Bryan -TheBS- Smith <thebs at theseus.com> wrote:

> Er, I think you are comparing apples and oranges here.  NAT is a
> many to one translation/filter.  DHCP is a IP address issuing
> protocol.

This is a common misunderstanding.  NAT is Network Address
Translation.  It can be:

  N <=> N'       N` is the same size as N
  M <=> M        M is smaller than M
  N <=> 1        A special case of N <=> M often call IP Masq.

Linux supports the full NAT definition, and can do all three of the
above forms.  The usually used IP Masq variant, is just that, a
variant whose popularity is due to the fact that most people have
only a single routable IP address, and thus don't have a block to do 
more interesting mapping forms.

> BTW, from my understanding, NAT is just IP translation that does
> not do any filtering and forwards/receives everything nasty.

Technically correct.  NAT is just the address translation.
Filtering is something else entirely at a functional level (how your
system presents that functionality however is a different matter.
Typically, s you are already messing about with the packets to do
the NAT, filtering is usually thrown in for free at the same time
(eg routers, firewalls, etc), often using exactly the same
syntax/tools/interface to configure both NAT and filtering.

> Most people I talk to and work with on using Linux 2.2's IPChains
> instantly become frustrated with the level of configuration
> required to get various protocols/ports, mainly on-line gaming and
> other programs, to work.  Instead, they go buy a box that
> "magically" works out of the box (or a few have even used
> FreeBSD's basic NAT daemon instead of dealing with Linux's
> IPChains).

There are several helpful web sites to assist in getting a working
IPchains setup.  I've never bothered as the basic set has always
either done what I needed, or what I needed required direct
connectivity and thus ruled out NAT.

