Software Firewall

No, a software firewall will be of no help to you if you're downloading a lot of junk. Best off having a good AV, or better yet, don't download the bad stuff.

Never a good idea to put ones' callsign in the headers :-(

The software firewall will give you a heads up if you happen to download something that decides to send your information to the world.

No. This does not work at all. I'm wondering, when this will get around at last.

Yours, VB.

Personal FW's have that trash in them. Host based network FW's, packet filtering FW routers and FW appliances have no such trash. Some would say that a PFW is not a FW since it doesn't separate two networks and is only machine level protection when it does its job as some kind of packet filter and not using all the other bloat trash in PFW solutions.

Duane :)

So i'm good with what I got?

If you're not doing the high risks things with the router like port forwarding, then you should be OK. I see the router does have SPI and that's good and some other security features. For downloading things that you have indicated in your post, it's not a FW's job to be concerned about it. But most PFW(s) have some kind of application control that will alert on dubious applications that could be installed on your machine and ran. That feature can easily be defeated and I have disabled that feature on the laptop PFW that I use on the road. It's a worthless feature IMHO and I use other tools from time to time to tell me what is happening on the machine.

While I am at home, the FW appliance I use provides all the protection in stopping inbound and outbound traffic between LAN to LAN, LAN to WAN and WAN to LAN by port, protocol or IP and also logs all inbound and outbound traffic by WAN and LAN IP(s). If your router can stop inbound and outbound and there are those routers that are packet filtering FW routers that also have logging of traffic that can do it, then you're good to go wired or wireless. You don't need a PFW period.

However, you have a wireless solution and I don't think the router can stop outbound. Because it's a wireless solution, someone could hack the wireless, join your network and be all over the top of your machines wired or wireless. For that reason, you might want to keep the PFW(s) on the machines setting rules to only allow traffic between the approved IP(s) on your LAN between the machines.

PFW(s) and other packet filter solutions at the machine level have their place in the protection as long a they don't bring complication to the picture. As far as some kind of file download protection, that's not any FW's job period.

If you're comfortable without the need of a PFW or some other packet filter that can stop outbound behind the router, then go without the PFW. On the other hand, I myself would prefer to have a router that at least meets the specs in the link to be fully comfortable without the need of something supplementing the router. It's just my my opinion on it and some have a completely different view on it. It's something you're going to have to decide as to what's best for your needs.

Duane :)

I was previously using a Netgear FR114P. From their website the only difference I can see between the two is:

1. It's obviously not wireless and,
2. It's ICSA certified

Other than those two is there a difference?

Thanks,

Hm... could be a signature ;-) Duane, how should a router work without port forwarding?

Yours, VB.

And what are you asking here? All ports on the router are closed by default to unsolicited inbound traffic. One starts opening inbound ports by using *port forwarding* that allows unsolicited traffic to come down the port or ports to Internet sever applications running on a machine, with the O/S, the Internet server applications, etc. etc not secured to face the Internet, then one has some potential problems -- no not potential problems - they got problems.

For the average home user that most likely will never use port forwarding, they are safe as the ports are closed to unsolicited inbound traffic. One starts opening those ports manually on the router to unsolicited inbound traffic and all bets are off.

Duane :)

Well, ICSA certified means the router has gone through some kind of testing procedures that are an industry standard. The wireless version of the router has not I guess as you have indicated.

I don't use a Netgear you tell me. Does the router meet the specs for what an Internet FW software or hardware solution is supposed to do? Does the router meet all of the requirements? If the router meets them, then you're good to go and you don't need a PFW behind it. If the router doesn't, then you may want to supplement the protection of the NAT router, especially on outbound protection.

Can you set/create rules to stop both inbound and outbound traffic on the LAN to LAN machines, WAN to LAN or LAN to WAN between machines with the router, along with the other things that are being specified in the link above about an Internet FW hardware or software?

You might want to go beyond the protection of the router with a PFW on the machines, since you have a wireless situation and someone could join/hack your wireless network on the air waves and come at the machines, unless the wireless router can control inbound and outbound traffic between machines on the LAN, then you don't need a PFW.

Duane :)

OK. You don't mean packet forwarding.

VB.oO( Whatever you mean... )

I have no way of telling if it blocks outbound. I would have to contact Netgear direct. However, I can control who uses my network. The router has a feature where you can only allow access by either IP or MAC address of a NIC.

Have you used a NAT router? If you have used a NAT router and you had a WEB server running behind the NAT router that you wanted exposed to the Internet on HTTP port 80 along with 20 and 21 for the FTP so that unsolicted traffic (any client machine on the Internet can contact the site), then you know what *port forwarding* on the router means. If you don't want anyone to conatct the site on the ports with unsolicted traffic, then you don't port forward ports or traffic to the IP/machine that has the WEB server running -- those ports are closed to unsolicted inbound traffic.

This is basic here VB and you should know this.

Tell me that you're joking here. :)

Duane :)

Ah, you're meaning static NAT. Thanx for making that clear.

Yours, VB.

If that router can stop outbound traffic, then you would *clearly* see the means of setting rules to stop outbound traffic by a LAN IP, port or protocol in the user manual. If you have not seen it in the user manual, then the router cannot do it.

Does the router have a syslog so that you can review traffic to from the router? I feel that is a must you should have with any router, otherwise you're blind -- very important on a wireless setup.

The MAC filtering is for the wireless I would suspect, which the MAC can be spoofed by a hacker on the wireless and they can still come at your machines on the wireless coming at the machines wired or wireless or they can just use your wireless setup to access the Internet wirelessly. The MAC filtering is good for stopping the casual user/hacker.

The IP I would suspect is for blocking by IP for inbound traffic I guess. I couldn't tell you if that's for a LAN or WAN IP or it can do both LAN and WAN IP(s) on the inbound.

Duane :)

It's not my livelihood like some of the Top Guns in the NG, but I have a little skill to say the least about it.

Duane :)

I got the signal too late:

ENOCOFFE

;-)

VB.

I hooked up the FR114P to get a look.

There are seperate areas for blocking inbound and outbound. However, By default it allows all outbound traffic, and blocks all inbound. If it's going to allow all outbound anyway, what's the point. I do have the option of blocking a paticular service, but that's all.