Slarty perfectly explains the reasonning behind my answer...


Invictus, please explain why you say that PAT provides more protection than NAT?! They don't even have the same functionnality...

Also, keep in mind that statefull inspection (of packets) isn't a magic thing: all it does is keep track of established connection states. The advantage is that it makes it harder to "slip in" odd or invalid packets that don't belong to an establised connection. However, if you are doing NAT, you are in fact already keeping states on outgoing connections with the translation table. So incoming packets that do not belong to an established connection will be blocked/dropped just as they would with a statefull firewall. (For example, OpenBSD's fireall, (pf), uses the same "table" (a BTree I believe, actually) to keep states AND for NAT.)
So assuming you don't expect incoming (legit) connections and don't need complex outgoing filtering, NAT and SPF do basically the same thing...


But wouldn't you feel better with a Linux box in there as well?
No: Assuming the user is a newbie to networking, security and computing in general (an appropriate assumption I'd say when you're asked a question like this), I would advise against having him/her setup a *nix firewall. Linux boxes comes with TONES of services enabled, needs considerable efforts (to newbies at least) to secure and then to learn iptables/ipchains and set it up. And then in the end, even a default block in, nat out all provides little more security than does a default install (meaning pretty much plug and play) of home router...


Ammo