Why you need a firewall on your PC enabled

[PsychoFish]

Unfortunately most routers have an extremely basic firewall and for the most part will just allow everything out. The NAT configuration on your router will allow for established sessions to communicate back to origin host. Incorrectly configured NAT/Port forwarding/Firewall on the router (btw, a good router will allow you to change NAT settings, Port Forwarding and additional firewall settings) will render your PC open to abuse from the wild.

Your windows firewall will act as a gatekeeper, allowing some traffic through and discarding incoming traffic. This works quite fine until another PC/device on your network needs to speak to your PC.

The simplest way is to let windows prompt you if it wants to open up ports for applications. If you already know the ports, protocols and direction of the traffic you can quite easily just add the appropriate rules.

Ultimately there should be no reason not to run a PC anywhere without a firewall enabled.

 

[BeoTeK]

Agreed, go without anti-virus before going without a firewall.

IPcop or Smoothwall?

 

[PsychoFish]

Agreed, go without anti-virus before going without a firewall.

IPcop or Smoothwall?

Both are pretty good, as is M0n0wall. However my home router is a Cisco 880 ISR which has an integrated zone based firewall. Additionally internet bound traffic on my LAN at home is routed through a CentOS server which acts as the DHCP and DNS server for the network.

All traffic Phones, Tablets, PC, Laptops, consoles, etc route via the CentOS server to the router. Wireless is isolated and cannot telnet or SSH to the Router or server. One the server I'm running FirewallD which controls traffic.

So basically the network between the Router and Server is my DMZ. The WiFi network, although the Access Point is integrated in the Router, sets the default gateway as the internal IP of the server. I have three private IP ranges in my LAN.

10.0.1.0/28 is my Wired LAN
10.0.1.16/28 is my Wireless LAN
192.168.1.0/29 is my DMZ

My Router is 192.168.1.1 and my Server's DMZ address is 192.168.1.2 (GW of 192.168.1.1) and the Internal address of the server is 10.0.1.1

then for firewalld you'd do something like :
firewall-cmd --permanent --zone=internal --change-interface=eth0
firewall-cmd --permanent --zone=dmz --change-interface=eth1
firewall-cmd --permanent --zone=internal --add-source=10.0.1.0/24
firewall-cmd --permanent --zone=dmz --add-source=192.168.1.0/29
firewall-cmd --zone=dmz --add-masquerade

etc etc etc...I like fine granular control. Also, i have RSyslog configured on my server and all my Router and other logs get pushed there. So if i hook up a new device (like a smart TV) i'll tail my firewall logs (The server and router) and start checking EXACTLY what it's doing. I generally don't mind 80 (HTTP) and 443 (HTTPS) traffic going from my devices out to the internet, but when I start seeing strange shit I get worried (I'm looking at you Huawei devices)

 

[HavocXphere]

Cool, but overkill for a home connection imo...

 

[PsychoFish]

Cool, but overkill for a home connection imo...

Yup, I did go with the complete overkill option here, but then again I got all the hardware for free and I'm just paranoid about security in general.

However, for the peeps that want to buy a relatively cheap hardware firewall. http://routerboard.com/RB750r2 and http://routerboard.com/RB2011iL-IN are going for $39.95 and $99.00 respectively and support a bucket load of configurable options.

 

[HavocXphere]

Yup, I did go with the complete overkill option here, but then again I got all the hardware for free and I'm just paranoid about security in general.

However, for the peeps that want to buy a relatively cheap hardware firewall. http://routerboard.com/RB750r2 and http://routerboard.com/RB2011iL-IN are going for $39.95 and $99.00 respectively and support a bucket load of configurable options.

Yeah toyed with the idea of setting up a FW...but then sanity prevailed & I realised I'm getting practically no value from that 99$ spending.

If one is planning to go into IT then I guess it could make sense as a practical project...

 

[PsychoFish]

Yeah toyed with the idea of setting up a FW...but then sanity prevailed & I realised I'm getting practically no value from that 99$ spending.

If one is planning to go into IT then I guess it could make sense as a practical project...

For 90% of users just having the basic firewall on your router and your windows firewall enabled is sufficient to provide you with a comfortable level of protection without affecting your user experience.

Unfortunately there are no good free IDS/IPS (Intrusion Detection System/Intrusion prevention system) available for home use which is why I operate on an absolute minimum amount of access required to operate principle at home. You'd actually be surprised if you see exactly how and what is communicating out from your network (again, looking at you Huawei)

Fortunately most systems and software packages will publish the ports and protocols required for it to operate.

 

[mottamort]

Yeah, the first time I setup UVNC on my home pc and stupidly left the port as default, I quickly became aware just how much phishing and stuff actually goes on (constant "could not connect to remote x.x.x.x"). Which made me wise up. I'm happy now at home with personal tailor-made router port forwarding and firewall settings, and I feel thats enough for me. Agree that a seperate box is slightly overkill for basic user, but its definitely fun to play with if you wanna learn a bit more.

But yea, as long as your pc isnt naked out to the www, your router (if not everything set to default) is enough for all the automated shit out there...imo