Hi
To answer your question re security and PAT (You are almost certainly running PAT and not NAT) Yes, PAT for the most part only allows outgoing connections with the exception of DNS and someother UDP connections. (UDP is connectionless and as such is tricky to NAT/PAT/Masquerade/Firewall)
Two Qs:
1) What's the difference between PAT and NAT?
PAT is what Cisco calls n:1 NAT, i.e. the mapping of many (i.e. n) IP
addresses to 1. In order to do this and still keep connections separable,
you need to modify the source port, so, in effect, you're using the source
port as the key to map private IP addresses to the one public one. Whether
you say PAT (Ciscospeak), IP Masquerading (Linuxspeak) or n:1 NAT (general
term) doesn't really matter, people should understand you either way.
Incidentally, any n:m NAT scheme with n 2) I'd like some more information about how secure is a (private-IP)
intranet behind a router performing NAT/PAT or similar (which obviusly
has got a real IP address). NAT is *not* a security mechanism. It provides functionality, not security,
at least not by itself. Maybe minimal additional security, because you can
use RFC1918 addresses and these *should* not be routed on the Internet, but
you'd be foolish to rely on that. My personal thoughts are that if the NAT
device isn't implementing any port forwarding to any internal machine,
the said machine is safe. Why should it be? It can communicate freely with the Internet. Therefore, it
is vulnerable to any attacks that do not require that a connection be
initiated from the Internet. NAT doesn't buy you any more security than a
packet filter does and I consider that the minimum requirement. Correct? So, the intranet would be safe for
external attacks (supposing router access is not granted and its
configuration is safe from hackers) without needing a fw or
router-filters, isn't it? Am I missing some interesting
points? NAT is not a security device, that's all there is to it. It is very useful,
but you need to complement it with conventional network security mechanisms.
In and of itself, it provides very minimal security enhancement (mainly in
the 'security by obscurity' department), but often gives a false sense of
security.
HTH
Tobias