University of Melbourne · S1 2027 · FACULTY OF COMPUTER SCIENCE

COMP30023 · Computer Systems

- one subject, every graph, every model, every mark
Computer Science14 Chapters10-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2027 · updated this semester
Chapter 13 of 13 · COMP30023

Middleboxes, NAT, Firewalls and Exam Revision

Week 12 closes the networking half with middleboxes — network address translation and its port-mapping table, firewalls, and a structured method for debugging network problems — then pulls the whole subject together for revision across both halves and the dual-hurdle exam. Describing the NAT translation walk-through and its trade-offs, and reasoning about a network fault by layer and location, are common exam questions.

In this chapter

What this chapter covers

  • 01Private address blocks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) reusable behind a NAT
  • 02How NAT (really NAPT) rewrites the private source IP and port to the public IP and a table index; checksum recomputation
  • 03The NAT translation table and the inbound reverse mapping; why an external host cannot initiate unsolicited
  • 04NAT criticisms (breaks end-to-end, layering violation, connection state, ~65,536-connection limit) and its security upside
  • 05Firewalls and the security role of middleboxes; NAT is not a firewall replacement
  • 06Structured network debugging: classify the symptom, localise in space and in the protocol stack, hypothesise, then test
  • 07Debugging tool classes by function (interface, reachability, name resolution, fetch) — remember functionality, not names
  • 08Whole-subject revision: linking the OS half (processes, scheduling, memory, crypto) to the networking half for the exam
Worked example · free

A NAT translation walk-through

Q [4 marks]. An internal host with private address 192.168.1.10 and source port 5000 sends a packet to a web server at 203.0.113.5:80 through a NAT box whose public address is 198.51.100.1. Describe how the NAT box rewrites the packet outbound and how it handles the reply inbound, and note one consequence of this design. (4 marks)
  • +1Outbound rewrite: the NAT box replaces the private source IP 192.168.1.10 with its public IP 198.51.100.1, and replaces the source port 5000 with a chosen entry index into its translation table — say public port 40001. The destination (203.0.113.5:80) is unchanged.
  • +1It records the mapping 198.51.100.1:40001 ↔ 192.168.1.10:5000 in the translation table and recomputes the IP and TCP checksums, since the addresses and ports they cover have changed. To the outside world the packet now appears to originate from 198.51.100.1:40001.
  • +1Inbound reply: the server replies to 198.51.100.1:40001 (it never sees the private address). The NAT box looks up destination port 40001 in the table, recovers 192.168.1.10:5000, rewrites the destination IP and port back to those private values, recomputes checksums, and forwards the packet to the internal host.
  • +1One consequence: NAT breaks end-to-end connectivity — an external host cannot initiate a connection to an internal host because no table mapping exists until the internal host first sends a packet out. The same property is a security benefit: unsolicited inbound packets are dropped, shielding the LAN (though NAT is not a substitute for a firewall). It also caps concurrent mappings at about 65,536 per public IP (16-bit port field).
Outbound, the NAT box rewrites source 192.168.1.10:5000 to 198.51.100.1:40001, stores the mapping and recomputes checksums. Inbound, it looks up port 40001, restores 192.168.1.10:5000, rewrites and recomputes checksums, and delivers internally. The design breaks end-to-end reachability (no unsolicited inbound) — which is also its security upside — and limits mappings to about 2^16 per public IP.
Sia tip — Describe both directions and name the table's role as the port-indexed lookup that reverses the rewrite; the marks are split across outbound, inbound and a consequence. Remember NAT also rewrites the port (it is really NAPT) and must recompute checksums. Ask Sia to change the addresses/ports and check that your inbound lookup restores exactly the stored private endpoint.
Glossary

Key terms

Network Address Translation (NAT)
A middlebox technique letting many hosts share one public IP: it rewrites a packet's private source IP (and port) to the public IP and a table index on the way out, and reverses the mapping on the way back. Really NAPT (Network Address and Port Translation), since it maps ports too.
Private address blocks
Address ranges reusable inside any organisation and never routed on the public Internet: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. Hosts using them reach the Internet through a NAT box that supplies a public address.
NAT translation table
The NAT box's table mapping each chosen public port to the original (private IP, source port). Outbound packets create or reuse an entry; inbound packets are demultiplexed by destination port back to the right internal host. It holds connection state, so a NAT crash drops all mappings.
NAT trade-offs
NAT breaks end-to-end connectivity (external hosts cannot initiate without a prior mapping), violates the one-address-per-interface model, is a layering violation (it inspects transport ports), holds per-connection state, and caps connections at about 65,536 per public IP. Its upside is shielding the LAN from unsolicited inbound packets — but it is not a firewall replacement.
Structured network debugging
The course's method for 'the Internet isn't working': classify the symptom (one app vs all, no response vs slow vs partial), localise it in space (host/server/router/NAT/firewall) and in the protocol stack (physical→application), form hypotheses per location, and test with the right tool class — recalling tool functionality rather than exact command names.
Firewall
A middlebox that filters traffic by policy to protect a network. It complements NAT rather than being replaced by it: NAT incidentally blocks unsolicited inbound traffic, but a firewall provides deliberate, configurable filtering.
FAQ

Middleboxes, NAT, Firewalls and Exam Revision FAQ

How does NAT translate addresses?

Outbound, the NAT box replaces a packet's private source IP with its single public IP and replaces the source port with an index into its translation table, storing the original private IP and port in that entry and recomputing the IP and TCP/UDP checksums. Inbound, it reads the destination port of the reply, looks it up in the table to recover the original private IP and port, rewrites the destination fields back and recomputes checksums, then forwards to the internal host. Because it maps ports as well as addresses it is really NAPT.

Why does NAT break end-to-end connectivity but help security?

A mapping in the NAT table only exists after an internal host sends a packet out, so an external host has nothing to address an unsolicited packet to — it cannot initiate a connection inward. That breaks the end-to-end model where any host can reach any other. The same property is a security benefit: unsolicited inbound packets are simply dropped, shielding the internal hosts. It is not, however, a substitute for a firewall, which provides deliberate policy-based filtering.

What are the main criticisms of NAT?

It breaks end-to-end connectivity (internal hosts cannot easily act as servers); it violates the model that each IP address identifies one unique interface (thousands of hosts hide behind one public address); it is a layering violation because it must inspect and rewrite transport-layer ports (and special-case protocols like FTP); it holds per-connection state, so if the NAT box crashes all connections are lost; and it limits concurrent mappings to about 65,536 per public IP because the port field is 16 bits. Its redeeming feature is the incidental security shielding.

How should I approach a 'the network isn't working' exam question?

Use the course's structured method rather than guessing. First classify the symptom: is it one application or all, no response or slow or partial, access-denied? Then localise it in space (local host, server, router, NAT, firewall) and in the protocol stack (physical, link, network, transport, application), reasoning about what symptom each failure location would produce. Form hypotheses and test each with the right class of tool — interface/config, reachability (ping/traceroute), name resolution (DNS lookup), fetch (curl). The examinable point is to remember what each tool and layer does, not the exact command names.

Can AI help me revise for the whole COMP30023 exam?

Yes, as a study aid across both halves. Sia can walk through a NAT translation, drill you on the layered debugging method, and set mixed practice spanning scheduling, paging, crypto, TCP, addressing and routing to rehearse for the dual-hurdle exam, checking your reasoning step by step. It helps you understand the method and self-test; it does not do your graded exam, quizzes or projects, and University of Melbourne academic-integrity rules apply.

Study strategy

Exam move

Week 12 both adds the NAT/firewall/debugging content and is your springboard into whole-subject revision, so use it to consolidate. Master the NAT translation walk-through in both directions (rewrite source IP and port outbound, reverse-map by destination port inbound, recompute checksums) and be able to list its trade-offs and its end-to-end-vs-security tension. Practise the structured debugging method as a symptom → location → layer → test chain, remembering the examinable point is tool functionality, not command names. Then revise across both halves against the dual hurdle: you must clear 30/60 on the MST-plus-exam and 20/40 on the projects-plus-quizzes, so make sure no major topic is a blank. Build a one-page map linking the OS half (processes, scheduling, memory, crypto) to the networking half, and rehearse the highest-frequency exam shapes. Confirm the exam date, room and permitted materials on Canvas and the University of Melbourne exam timetable; the final sits in the Semester 1, 2027 examination period (around June 2027).

Working through Middleboxes, NAT, Firewalls and Exam Revision in COMP30023? Sia is AskSia’s AI Computer Science tutor — ask any COMP30023 Middleboxes, NAT, Firewalls and Exam Revision question and get a clear, step-by-step explanation grounded in how COMP30023 is taught and assessed. Read this chapter free, then take your hardest questions to Sia.

A+Everything unlocked
Unlocks this Bible + all 14 of your University of Melbourne subjects - and 1,000+ Bibles across every Australian university.
Sia - your COMP30023 tutor, unlimited, worked the way the exam marks it
The full 10-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full COMP30023 Bible + 14 University of Melbourne subjects解锁完整 COMP30023 Bible + University of Melbourne 14 门科目
$25/mo