Consumer Grade - IPV6 Enabled Router Firewalls.

Once upon a time, Joe Greco <> said:
> Everyone knows a NAT gateway isn't really a firewall, except more or less
> accidentally. There's no good way to provide a hardware firewall in an
> average residential environment that is not a disaster waiting to happen.

I don't think hardware vs. software makes a "real" firewall. A NAT
gateway has to have all the basic functionality of a stateful firewall,
plus packet mangling. Typical home NAT gateways don't have all the
configurability of an SSG or such, but the same basic functionality is

You can blow away the firmware of your NAT gateway and load something
like DD-WRT. This gives you a hardware firewall (an external hardware
device that acts as a deliberate firewall; i.e. you can firewall
from It is not filtering packets in silicon, which is an
alternate definition for "hardware firewall" that many in this group
could use, but in common usage, it is the distinctness from the protected
host(s) and the ability to implement typical firewalling rules and
methods, with or _without_ NAT, that makes it a "hardware firewall."

Your existing NAT gateway firmware may well be based on Linux and may
have portions implemented by a Linux firewalling subsystem, but in most
cases, you cannot really drill down to any significant level of detail,
and quite frequently the main "anti-forwarding" protection offered is
simply the difficulty in surmounting the artificial barrier created by
the NAT addressing discontinuity. While this might technically count as
"the same basic functionality," functionality that cannot be accessed or
used might as well not be there for the purposes of this discussion. So
I'll pass on considering your average NAT gateway as a "hardware

... JG