Firewall Router

Hi all
I read Dapper Dan's bout with Router Firewall in this Forum. Since I've used
this Forum for many years....here goes. Since free firewalls are becoming a
thing of the past unless you go for those with 3 or 6 months 'trial' periods
which you cant get rid of when the time is off, I asked for a ROUTER for my
80th bithday in october. I was thinking, why pay 39$ (can) every year, when
I can buy a router for 59$. I don't pretend to understand the full saga
that Dan had, but I'd like to have your opinion about using a router for a
firewall.
Or I'm I on the wrong track.
--
cogito ergo sum

PAT (Paul) wrote:
Hi all
I read Dapper Dan's bout with Router Firewall in this Forum. Since I've used
this Forum for many years....here goes. Since free firewalls are becoming a
thing of the past unless you go for those with 3 or 6 months 'trial' periods
which you cant get rid of when the time is off, I asked for a ROUTER for my
80th bithday in october. I was thinking, why pay 39$ (can) every year, when
I can buy a router for 59$. I don't pretend to understand the full saga
that Dan had, but I'd like to have your opinion about using a router for a
firewall.
Or I'm I on the wrong track.

No, it's a good idea to have both with Windows. Most routers don't come
with the firewall enabled so you will have to go into the router to
enable it. See the written material that comes with it to know how. If
you're using XP, no need to buy a software one, use the one that comes
with XP. Another advantage to a router is that you can connect more than
one machine to the same Internet connection.

M

From: "PAT (Paul)"

| Hi all
| I read Dapper Dan's bout with Router Firewall in this Forum. Since I've used
| this Forum for many years....here goes. Since free firewalls are becoming a
| thing of the past unless you go for those with 3 or 6 months 'trial' periods
| which you cant get rid of when the time is off, I asked for a ROUTER for my
| 80th bithday in october. I was thinking, why pay 39$ (can) every year, when
| I can buy a router for 59$. I don't pretend to understand the full saga
| that Dan had, but I'd like to have your opinion about using a router for a
| firewall.
| Or I'm I on the wrong track.
| --
| cogito ergo sum

First you have to understand that regular routers are NOT FireWalls. The perform Network
Address Translation (NAT) to go between the pulic WAN IP address and a LAN of private IP
addreses. It is in the NAT process that it acts as a simplistic FireWall.

However you can obtain a Router with a full FireWall implementation. That is it doesn't
just perform simple port blocking , port forwarding, NAT , etc. it has a well of
capabilities that make a true FireWall.

Then there are complete standalone FireWall appliances.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Hi
How are you connecting at the moment? - USB modem?
If so, then you'll find that using a router will make life simpler, and
(probably) faster as well, since you will be able to uninstall all the
rubbish that your ISP insisted you install along with the drivers and
connectoids for the modem.
DO NOT install any of the software that comes with the router - it's almost
always totally unnecessary.

David is right, in that the NAT function of the router is not a true
firewall - but in many ways it's actually better, as it requires (almost) no
setup (except in specific situations, like remote assistance/desktop - which
may be already enabled on many 'retail' routers) - many of the
quicker-spreading viruses of the past 10 years wouldn't have got a foothold
if the world had been using routers rather than USB modems/dialup.

I routinely recommend to my clients that they uninstall/disable third-party
firewalls in XP/Vista and just use the built-in versions as backup and to
reduce the chances of drive-by (literally!) hacking from wireless
connections.


Points to bear in mind when initially setting up your router (NOT a complete
list!)
If you don't need wireless connectivity, either don't get a wireless router,
or disable the wireless options.
Initial setup is always best done using the wired connection.
Use the built-in HTML (web access) pages to manage the router, and change
the admin password to one of your own.
Update the firmware as soon as possible after the install - there are
usually fairly simple instructions for that on the router - especially if
using Vista, as some routers aren't fully vista-capable out of the box (less
so once updated).
If you do need wireless capability, make sure that you change the SSID, use
at least WPA protocol to connect, and use a nice long passphrase that you
can remember.
Don't try and get fancy with the control aspects of the router - it's all
too easy to forget that you've switched something off, and spend hours
hunting for software problems on a (new/guest) computer, when all it needs
is a couple of click on the router control panel (BTDT)!
It's worth enabling UPnP on the router (and in Windows) - this gives
automated control for certain operations/programs (such as torrent
downloaders) so that you don't have to configure exceptions to the router
configuration. If you do this, then it may become more important to have a
two-way firewall on your PC, since there's otherwise no flags telling you
what program is using UPnP to configure the router. (I suspect that David
would disable UPnP everywhere - but IMHO, that's unnecessary)

--
Noel Paton
CrashFixPC

Nil Carborundum Illegitemi
www.crashfixpc.co.uk
"PAT (Paul)" wrote in message
...
Hi all
I read Dapper Dan's bout with Router Firewall in this Forum. Since I've
used
this Forum for many years....here goes. Since free firewalls are becoming
a
thing of the past unless you go for those with 3 or 6 months 'trial'
periods
which you cant get rid of when the time is off, I asked for a ROUTER for
my
80th bithday in october. I was thinking, why pay 39$ (can) every year,
when
I can buy a router for 59$. I don't pretend to understand the full saga
that Dan had, but I'd like to have your opinion about using a router for a
firewall.
Or I'm I on the wrong track.
--
cogito ergo sum

From: "Noel Paton"

| Hi
| How are you connecting at the moment? - USB modem?
| If so, then you'll find that using a router will make life simpler, and
| (probably) faster as well, since you will be able to uninstall all the
| rubbish that your ISP insisted you install along with the drivers and
| connectoids for the modem.
| DO NOT install any of the software that comes with the router - it's almost
| always totally unnecessary.

| David is right, in that the NAT function of the router is not a true
| firewall - but in many ways it's actually better, as it requires (almost) no
| setup (except in specific situations, like remote assistance/desktop - which
| may be already enabled on many 'retail' routers) - many of the
| quicker-spreading viruses of the past 10 years wouldn't have got a foothold
| if the world had been using routers rather than USB modems/dialup.

| I routinely recommend to my clients that they uninstall/disable third-party
| firewalls in XP/Vista and just use the built-in versions as backup and to
| reduce the chances of drive-by (literally!) hacking from wireless
| connections.


| Points to bear in mind when initially setting up your router (NOT a complete
| list!)
| If you don't need wireless connectivity, either don't get a wireless router,
| or disable the wireless options.
| Initial setup is always best done using the wired connection.
| Use the built-in HTML (web access) pages to manage the router, and change
| the admin password to one of your own.
| Update the firmware as soon as possible after the install - there are
| usually fairly simple instructions for that on the router - especially if
| using Vista, as some routers aren't fully vista-capable out of the box (less
| so once updated).
| If you do need wireless capability, make sure that you change the SSID, use
| at least WPA protocol to connect, and use a nice long passphrase that you
| can remember.
| Don't try and get fancy with the control aspects of the router - it's all
| too easy to forget that you've switched something off, and spend hours
| hunting for software problems on a (new/guest) computer, when all it needs
| is a couple of click on the router control panel (BTDT)!
| It's worth enabling UPnP on the router (and in Windows) - this gives
| automated control for certain operations/programs (such as torrent
| downloaders) so that you don't have to configure exceptions to the router
| configuration. If you do this, then it may become more important to have a
| two-way firewall on your PC, since there's otherwise no flags telling you
| what program is using UPnP to configure the router. (I suspect that David
| would disable UPnP everywhere - but IMHO, that's unnecessary)

| --
| Noel Paton
| CrashFixPC

Nope, uPnP is fine with me :-)

However there are a few things I would do...

Turn off remote management (management from the WAN side)
Disable ICMP replies (turn off ping replies)
Change the default password (thwart DNSChanger trojans)
Specifically block TCP/UDP port 135 ~ 139 and 445


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:
From: "Noel Paton"

Hi
How are you connecting at the moment? - USB modem?
If so, then you'll find that using a router will make life simpler,
and (probably) faster as well, since you will be able to uninstall
all the rubbish that your ISP insisted you install along with the
drivers and connectoids for the modem.
DO NOT install any of the software that comes with the router - it's
almost always totally unnecessary.

David is right, in that the NAT function of the router is not a true
firewall - but in many ways it's actually better, as it requires
(almost) no setup (except in specific situations, like remote
assistance/desktop - which may be already enabled on many 'retail'
routers) - many of the quicker-spreading viruses of the past 10
years wouldn't have got a foothold if the world had been using
routers rather than USB modems/dialup.

I routinely recommend to my clients that they uninstall/disable
third-party firewalls in XP/Vista and just use the built-in versions
as backup and to reduce the chances of drive-by (literally!) hacking
from wireless connections.


Points to bear in mind when initially setting up your router (NOT a
complete list!)
If you don't need wireless connectivity, either don't get a wireless
router, or disable the wireless options.
Initial setup is always best done using the wired connection.
Use the built-in HTML (web access) pages to manage the router, and
change the admin password to one of your own.
Update the firmware as soon as possible after the install - there are
usually fairly simple instructions for that on the router -
especially if using Vista, as some routers aren't fully
vista-capable out of the box (less so once updated).
If you do need wireless capability, make sure that you change the
SSID, use at least WPA protocol to connect, and use a nice long
passphrase that you can remember.
Don't try and get fancy with the control aspects of the router -
it's all too easy to forget that you've switched something off, and
spend hours hunting for software problems on a (new/guest) computer,
when all it needs is a couple of click on the router control panel
(BTDT)!
It's worth enabling UPnP on the router (and in Windows) - this gives
automated control for certain operations/programs (such as torrent
downloaders) so that you don't have to configure exceptions to the
router configuration. If you do this, then it may become more
important to have a two-way firewall on your PC, since there's
otherwise no flags telling you what program is using UPnP to
configure the router. (I suspect that David would disable UPnP
everywhere - but IMHO, that's unnecessary)

--
Noel Paton
CrashFixPC

Nope, uPnP is fine with me :-)

However there are a few things I would do...

Turn off remote management (management from the WAN side)
Disable ICMP replies (turn off ping replies)
Change the default password (thwart DNSChanger trojans)
Specifically block TCP/UDP port 135 ~ 139 and 445

If we're talking XP here, Windows Worms Door Cleaner (No, OK, Yes - iirc):
http://www.firewallleaktester.com/wwdc.htm

And I do not get the widespread recommendation not to run a 3rd party
firewall. In XP, Kerio 2.1.5 does not interfere with either the Windows
Firewall or routers and why on earth anyone would *not* want something
alerting one to malware trying to phone home (or without a 3rd party
firewall, *actually* phoning home) I do not understand for one moment.

Quite regardless that its a gamble that one's precautions stop *everything*
untoward being installed; and that there is plenty of freeware that installs
adware/spyware if we run Setup without paying close enough attention: almost
all malware today is specifically intended to phone home. A firewall that
does not notify on outgoing attempts is IMO a scandal.

(Kerio 2.1.5 is not entirely secure on it's own, what with being so old and
not having been patched - and I would no longer recommend it for anything
other than XP, or for XP with Windows Firewall turned off and/or without a
hardware firewall).

Shane

On Sat, 18 Apr 2009 13:33:29 +0100, Lucas Wader-Magneto wrote:

And I do not get the widespread recommendation not to run a 3rd party
firewall. In XP, Kerio 2.1.5 does not interfere with either the Windows
Firewall or routers and why on earth anyone would *not* want something
alerting one to malware trying to phone home (or without a 3rd party
firewall, *actually* phoning home) I do not understand for one moment.

I got tired of those popups, and configured my firewall in such a way that I
did not see them; then realized that I was being sufficiently permissive as
to not catch malware that way, anyway. So I was negating that very feature
you flog as "protective". Just as well to not have that firewall as to
ignore those popups.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

N. Miller wrote:
On Sat, 18 Apr 2009 13:33:29 +0100, Lucas Wader-Magneto wrote:

And I do not get the widespread recommendation not to run a 3rd party
firewall. In XP, Kerio 2.1.5 does not interfere with either the
Windows Firewall or routers and why on earth anyone would *not* want
something alerting one to malware trying to phone home (or without a
3rd party firewall, *actually* phoning home) I do not understand for
one moment.

I got tired of those popups, and configured my firewall in such a way
that I did not see them; then realized that I was being sufficiently
permissive as to not catch malware that way, anyway. So I was
negating that very feature you flog as "protective". Just as well to
not have that firewall as to ignore those popups.

I thought you knew what you were talking about, but apparently...

Shane

Noel, thanks for response. To anwer your query: using XP SP3. ADSL Modem
medium speed, P4 2.26 KHz, 512 KB RAM (will increase to another 1 MB ASAP),
2 HD 40 GB and 80 GB. Using only one machine, but may connect my old Win Me
for my grandchilden visit. As for installing software from the Firewall,
gee I'm still disconnecting some crap that came with the XP: Norton, etc.
Also there is a file called Prefetch, can it be disconnected? . As for
Kerio 2.l.5 Shane is right cant be used, but I did for years on Win Me but
hast been updated since Oct.06 and now its V. 4.x from Sunbelt and 3 months
trial.
Same for most of the free ones. Guess its a Router including the built-in
firewall, or just a stand alone 3rd party firewall. Cheers to all.
l

--
cogito ergo sum


"Noel Paton" wrote:

Hi
How are you connecting at the moment? - USB modem?
If so, then you'll find that using a router will make life simpler, and
(probably) faster as well, since you will be able to uninstall all the
rubbish that your ISP insisted you install along with the drivers and
connectoids for the modem.
DO NOT install any of the software that comes with the router - it's almost
always totally unnecessary.

David is right, in that the NAT function of the router is not a true
firewall - but in many ways it's actually better, as it requires (almost) no
setup (except in specific situations, like remote assistance/desktop - which
may be already enabled on many 'retail' routers) - many of the
quicker-spreading viruses of the past 10 years wouldn't have got a foothold
if the world had been using routers rather than USB modems/dialup.

I routinely recommend to my clients that they uninstall/disable third-party
firewalls in XP/Vista and just use the built-in versions as backup and to
reduce the chances of drive-by (literally!) hacking from wireless
connections.


Points to bear in mind when initially setting up your router (NOT a complete
list!)
If you don't need wireless connectivity, either don't get a wireless router,
or disable the wireless options.
Initial setup is always best done using the wired connection.
Use the built-in HTML (web access) pages to manage the router, and change
the admin password to one of your own.
Update the firmware as soon as possible after the install - there are
usually fairly simple instructions for that on the router - especially if
using Vista, as some routers aren't fully vista-capable out of the box (less
so once updated).
If you do need wireless capability, make sure that you change the SSID, use
at least WPA protocol to connect, and use a nice long passphrase that you
can remember.
Don't try and get fancy with the control aspects of the router - it's all
too easy to forget that you've switched something off, and spend hours
hunting for software problems on a (new/guest) computer, when all it needs
is a couple of click on the router control panel (BTDT)!
It's worth enabling UPnP on the router (and in Windows) - this gives
automated control for certain operations/programs (such as torrent
downloaders) so that you don't have to configure exceptions to the router
configuration. If you do this, then it may become more important to have a
two-way firewall on your PC, since there's otherwise no flags telling you
what program is using UPnP to configure the router. (I suspect that David
would disable UPnP everywhere - but IMHO, that's unnecessary)

--
Noel Paton
CrashFixPC

Nil Carborundum Illegitemi
www.crashfixpc.co.uk

As for Kerio 2.l.5
Shane is right cant be used, but I did for years on Win Me but hast
been updated since Oct.06 and now its V. 4.x from Sunbelt and 3
months trial.

No, it *can* be used. I've been running 2.1.5 - with Windows Firewall
enabled - in XP since pre-SP1. I have it running right now in SP3, with
Windows Firewall and a router with hardware firewall. Once upon a time - and
before the router, not that the router is a drain - this was with a measly
256MB RAM, without performance issues.

The Sunbelt continuation of Kerio PF is still free, it just runs in full
mode for however long (3 months?), after which if you don't want the extras
it continues in basic mode. I doubt it would be as compatible with Windows
Firewall as 2.1.5 is, so I would turn the latter off were I running it. And
I would be running it were it not for I only need one for monitoring
outboound traffic - and you can't get much less obtrusive than 2.1.5 (as you
doubtless know!).

I also use it - or variations thereof (2.1.4 - and the Tiny version) in
virtual machines that are themselves behind the router and running on XP
running 2.1.5 and WF!

Shane