NAT stands for "Network Address Translation". Among other things, NAT allows you to provide public access to your system even though it sits behind a firewall. It does so by changing the source and destination IP addresses for data packets as they flow through your system. It can also be used to simplify configuration when multiple networks in your system operate on different addressing schemes. Your system can act as a go-between making the connections possible. NAT can also be used to hide real IP addresses between networks.
IP Packet Filtering lets you block specific IP addresses or filter packets based on information contained in each packet header. That gives you a lot of power to control who can access your system and who cannot access your system based on the IP address they are coming from. Using IP Packet Filtering, you can:
- Permit or reject packets based on their destination IP address.
- Permit or reject packets based on their source IP address.
- Permit or reject packets based on either their source port number or their destination port number.
- Apply these rules selectively when you have multiple network connections to your system. Different rules can apply to each network adapter.
- Stop undesirable traffic from passing through your system to other nodes in your network.
- Selectively log traffic based on the way your rules are set up.
You can find more information about setting up and configuring NAT and IP Packet Filtering at the IBM iSeries Information Center -- look in the Internet Security area. The iSeries Navigator includes a set-up wizard for IP Packet Filtering that may also help you to get started.
One note of caution: While these "free" tools are available for your use, they are just another tool in your security tool bag. Used together, these functions provide some of the functionality you'll find in a firewall, but full implementation of a firewall product is preferable. These tools should be used in conjunction with your overall security plan and strategy.
If you have specific questions about this topic, e-mail me at firstname.lastname@example.org. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
This was first published in May 2006