Computer Help and Support
In reply to the discussion: Stickied thread: Safe internet browsing habits [View all]steve2470
(37,468 posts)NAT router = D-Link, Linksys, Cisco, Netgear, other "consumer grade" routers
http://www.dslreports.com/faq/4629
Summary
Whilst NAT discards all unsolicited traffic received from the Internet, it does not restrict conversations initiated by the computers behind it. A software firewall (and it's user) would theoretically prevent malicious programs from initiating these 'outbound' conversations. It is worth noting that the most common type of malicious, network-aware program, the Remote Access Trojan (RAT), almost always depends upon an inbound connection from the attacker and is therefore defeated by NAT alone.
Although the threat reduction provided a software firewall employed in this scenario may be relatively small they do provide another layer of defense against certain types of malicious program and may be useful in alerting you to the presence of such.
As detailed previously, NAT discards all unsolicited traffic received from the Internet. Therefore, a software firewall watching inbound traffic would only ever see return traffic - traffic that is part of a conversation initiated by the host computer. Besides the occasional false positive (see here for an example), the software firewall will never produce any 'alerts' on inbound traffic.
So, why do people run them? Well, the advantage that a software firewall holds over hardware devices is that it can associate conversations with the program involved. A standalone NAT or firewall device has no way of determining which program is responsible for the packets it filters - it can only filter on the fields in packet headers such as ports and addresses. If an administrator were to filter all outbound connections except those destined for port 80 (http) they could not assume that the only conversations passing through the device were indeed http. Indeed, some legitimate programs (IM and P2P clients, etc) allow users to set a "firewall mode" whereby they use destination port 80 for all conversations, bypassing "pesky admins and their firewalling" (and often their security policies).
more at link above