dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
90261

aleshik1
join:2004-07-10
Newark, NJ

aleshik1

Member

Is it safe to disable router's firewall?

My computer is connected to the internet thrue a router atm

Router---Ethernet cable--PC
and I have a laptop connected by the wireless signal from the router.

Would it be safe to disable the router firewall if both computers have a firewall installed on them?

Its a Secret
Please speak into the microphone
Premium Member
join:2008-02-23
Da wet coast

Its a Secret

Premium Member

While this isn't an ideal situation, you could do it. Why do want to disable your router's FW? What kind of software FW do you run?

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to aleshik1

Premium Member

to aleshik1
If your systems and applications are properly secured and currently patched they would probably be safe on a router with a disabled firewall as long as your system firewalls are properly configured, active and not subject to vulnerabilities or DoS.

Personally, I like the router firewall - it eliminates the usual internet noise and wasted CPU cycles associated with firewalled activity. It also provides a second level of protection for the systems at the network perimeter when/if a system firewall shuts down abnormally or as part of an update process.

When/if you decide to shut down the router firewall, be prepared to see lots of messages and activity you hadn't been seeing.

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 recommendation

nwrickert to aleshik1

Mod

to aleshik1
Would it be safe to disable the router firewall if both computers have a firewall installed on them?
The firewall is disabled on my router. I have not seen any ill effects.

If you are using a standard NAT, then the most important part of the router firewall is actually a side effect of NAT, and cannot be fully disabled. Well, you can put one computer on the DMZ, which disables it for that one computer. If you don't put a computer on the DMZ, then your systems are still protected by the router even with the router firewall disabled. The router firewall typically deals with outbound packet filtering, and the inbound protection is part of NAT.
Ravenheart
join:2006-02-10
Berkeley, CA

Ravenheart to aleshik1

Member

to aleshik1
I've noticed with DD-WRT firmware that if you turn off the firewall (SPI), you turn off stealthing of ports, as reported by grc.com, for instance. It's controversial, I guess, but most people probably prefer being stealthed. I don't know if other router firmware behaves this way.
Crypto_Bug
join:2001-05-31
Torrington, CT

1 edit

Crypto_Bug to aleshik1

Member

to aleshik1
What type of router are you using? Is it stateful packet inspection or is just doing NAT and perhaps some static packet filtering? Keep in mind even if the router does claim to do stateful packet inspection that just means that they are performing stateful packet inspection for at least one protocol, it doesnt mean they perform stateful packet inspection for all protocols. If it is just doing NAT then some of your protection comes from you having a private address, however if the router supports loose source routing it is still pretty easier to get around the protection provided by NAT.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to nwrickert

MVM

to nwrickert
said by nwrickert:
Would it be safe to disable the router firewall if both computers have a firewall installed on them?
The firewall is disabled on my router. I have not seen any ill effects.

If you are using a standard NAT, then the most important part of the router firewall is actually a side effect of NAT, and cannot be fully disabled. Well, you can put one computer on the DMZ, which disables it for that one computer. If you don't put a computer on the DMZ, then your systems are still protected by the router even with the router firewall disabled.
Yep! Good explanation!
said by nwrickert:

The router firewall typically deals with outbound packet filtering, and the inbound protection is part of NAT.
Assuming the firewall is SPI it will look at a little deeper into the packet then NAT, which is why the firewall with SPI in many cases slows down the router. For the average user I doubt this adds *any* measurable benefit.

As to out bound protection, as you know, the router firewall will mostly block ports which adds a slight measure of outbound protection. But of course as you know, it can be bypassed by using remote port 80 on any system where web browsing is allowed.

Just figured I add a little more detail, to your excellent explanation, for other readers.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

Just figured I add a little more detail, to your excellent explanation, for other readers.
Appreciated.

I have experimented with router firewalls. Output blocking can create subtle problems for yourself. The aim should be to keep the malware off my machine, not to allow it and and then block it

And I concur on SPI, as used on typical home routers. The benefits seem minor. The firewalling that is part of the NAT functionality is already adequate for most home and small office users.

spi
@66.128.17.x

spi

Anon

Here is a quick grab of a paragraph off of wikipedia regarding SPI. This is important to note. SPI not only keeps track of sessions and will not allow random packets to be inserted into the stream it also watches for legitimate traffic establishing new connections coming back in such as with active ftp, etc.

Before the advent of stateful firewalls, a stateless firewall, a firewall that treats each network frame (or packet) in isolation, was normal. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Modern firewalls are connection-aware (or state-aware), affording network administrators finer-grained control of network traffic.

The classic example is the File Transfer Protocol, because by design it opens new connections to arbitrary ports. FTP, among other protocols, needs to be able to open connections to arbitrary high ports to function properly. Since a firewall has no way of knowing that the packet destined to the protected network, to some host's destination port 4970, is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problem by maintaining a table of open connections and intelligently associating new connection requests with existing legitimate connections.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

Modern NAT does a lot of that these days. Most implementations allow active FTP. NAT checks if a packet is part of an ongoing TCP connection from the (Port pair and IP) or if a UDP packet had been sent outbound to the IP from the port pair.

The Netgear site has a good page on the added advantages of SPI. For the average individual, unless they are targeted most of these are not a major concern. Certainly for a major organization SPI can be helpful. Also if you have reason to believe you might be targeted for a DOS attack SPI would certainly help.

»kbserver.netgear.com/kb_ ··· 1218.asp

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to spi

Mod

to spi
Here is a quick grab of a paragraph off of wikipedia regarding SPI.
I am not denying its uses.

For the typical home router, the main benefit of SPI is to the marketing department, which can make the router sound more impressive than it really is.

For a complex corporate firewall, you really do need SPI. But management of such a firewall involves complexity beyond the ability of most home users and beyond the capability of most home routers.

spi
@66.128.17.x

spi

Anon

Agreed. I just didn't want everyone to think that SPI had no benefit to the user. For the other reply NAT is a ip/port translation and should not be doing inspection to allow things such as active FTP to establish a NEW connection back into your network. Nat simply works with the IP/ports, for a router to realize it needs to allow a brand new connection from an outside host into an inside host it needs to inspect the traffic to see the agreed upon port that will be initiated back to the inside. They may market this stuff in a number of ways but if you go by the definition NAT does not do inspection or fixup or alg or whatever your vendor preferred term may be.
spi

spi to TheWiseGuy

Anon

to TheWiseGuy
I think you misunderstand how active ftp works. NAT does not handle active ftp by default. in active ftp the client establishes an outbound control connection to a ftp server which is allowed through the router and nat'd. The server replies to the request over the data channel and they agree on a port that the server can start a brand new connection to the client on. NAT will not know of this new connection and will NOT allow it. The port they agree upon is only mentioned within the data portion of the packet, therefore packet inspection must be done so the router can allow a newly established connection through to the correct host.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

I assure you I understand how active FTP works. An initial connection is made to Port 21 outbound. The Inbound return packet contains the port where the data connection will be established. You do not need to have an SPI FIREWALL, what the topic was about, for a modern NAT router to allow active FTP.

True, I said modern NAT when talking about FTP and probably should have said modern NAT routers. Still you could easily implement a sub-routine in NAT that checks if the remote is Port 21 and simply check the return packet as part of NAT without implementing a full SPI firewall, since active FTP is one of the oldest and most used protocols that require an inbound connection in response.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to spi

Mod

to spi
SPI is not enough for active FTP. Rather, the router must monitor the data part of the packets to see what port is agreed to, create a special entry in its NAT table to handle that connection, and appropriately modify that data packet. Most home routers are designed to handle this.

Passive FTP will work without difficulty through a NAT router as long as no output blocking is being done.

If the FTP server is behind the NAT router, things are more complex and some home routers won't handle it properly.

spi
@66.128.17.x

spi to TheWiseGuy

Anon

to TheWiseGuy
I guess where I am going with this is that by definition NAT alone cannot handle active FTP. In active FTP the server starts a new connection into the client and without some sort of packet inspection the router doesn't even know who to forward that traffic to. The traffic will be denied. Whatever you want to call this packet inspection that the router does to see that data port and know it is associated with the original outgoing ftp session is up to you but it is not NAT. BTW, you only described half of what an active ftp session does, you didn't even make it to the part that a basic router would have problems with.
spi

spi to nwrickert

Anon

to nwrickert
I think that actually depends on who you ask. A lot of companies like to market it as a fixup, inspect, alg, etc. According to wiki it is part of SPI. I do agree with you though. Deep packet inspection must be done to determine this. We are on the same page and at the basic level I am sure you explain it much better than I do. It appears some think that NAT does deep packet inspection to know how to handle these types of traffic however if you go by true network definitions NAT does not do this type of inspection. As you said the NAT table may be updated but NAT itself is not responsible for the actual intelligence.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to spi

MVM

to spi
said by spi :

BTW, you only described half of what an active ftp session does, you didn't even make it to the part that a basic router would have problems with.
Huh, maybe you can not read.
said by Me :
An initial connection is made to Port 21 outbound. The Inbound return packet contains the port where the data connection will be established.

quote:
Still you could easily implement a sub-routine in NAT that checks if the remote is Port 21 and simply check the return packet as part of NAT without implementing a full SPI firewall,

You do understand Active FTP enough to understand that the DATA connection is the part you say will have a problem, not the control connection.

For you or anyone else that needs to understand active FTP
see

»slacksite.com/other/ftp.html

NAT/PAT is Name Address Translation/Port Address Translation, you must modify the NAT/PAT tables to allow inbound traffic from active FTP. It does not need to be done by a stateful firewall.
Ravenheart
join:2006-02-10
Berkeley, CA

Ravenheart to Crypto_Bug

Member

to Crypto_Bug
said by Crypto_Bug:

...if the router supports loose source routing it is still pretty easier to get around the protection provided by NAT.
Crypto_Bug, could you go into this a bit further? It's new to me, and the Wikipedia entry didn't help much. Do some SoHo routers have such an option?

spi
@66.128.17.x

spi to TheWiseGuy

Anon

to TheWiseGuy
lol... you are explaining this to me and you call it "Name Address Translation". Man you need to get a refund on whatever certification you got... I agree with you, the NAT (Network Address Translation) table is updated but NAT is not inspecting the traffic to determine this information for itself. NAT is not responsible for inspecting this traffic and NAT alone will not allow this inbound traffic. NAT alone cannot handle this type of traffic.. Don't read anymore into it, that is all I am trying to say. NAT alone cannot handle this type of traffic.
spi

spi to TheWiseGuy

Anon

to TheWiseGuy
BTW since you brought it up NAT/PAT as you call it are not one in the same.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

1 edit

TheWiseGuy

MVM

said by spi :

BTW since you brought it up NAT/PAT as you call it are not one in the same.
Sigh I wish I could put anonymous trolls on ignore. I also wish the system were not all of a sudden informing me of every reply by an anonymous user.

Actually, if you read Cisco

»www.cisco.com/en/US/tech ··· 31.shtml
Overloading – A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
PAT is the name of a specific type of NAT.

I'm done feeding the troll. You do not need a stateful firewall, which is what this topic is about, to do active FTP.

spi
@66.128.17.x

spi

Anon

The guy that calls it Name Address Translation calls me a troll. Nice try...

You are correct you may not need what your router vendor calls spi for active ftp but you do need some sort of deep packet inspection which is NOT NAT.
CB0
join:2008-05-02
Goshen, NY

CB0 to aleshik1

Member

to aleshik1
You have a interesting question. I would have thought you were going to ask whether it was safe to turn of the firewall on the client machines connected to the router. If you keep the SPI firewall it might not hurt to do that. To turn off the router firewall though and leave the client software firewalls turned on could be hit or miss. I would say keep them both on but if you really want, disable the client firewalls since you're protected from the Internet through the routers SPI firewall. Not to say either method is 100% secure but surely better than nothing.

ironwalker
World Renowned
MVM
join:2001-08-31
Keansburg, NJ

1 edit

ironwalker to aleshik1

MVM

to aleshik1
aleshik1 See Profile has not returned but I'd like to ask in case he does;
Why do you want to?
Is it slowing your traffic down?
Is there some restrictions you know for sure is the firewall?
What kind of router?
Disable firewall permantly?

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey

Premium Member

I work with a guy who has Verizon Business DSL and has a Westell 327W gateway. It is set to use the "typical" medium security in the firewall. I found that this setting prevents Windows from getting the time from internet time servers. Setting the firewall to minimum allows the time update. That's the only thing I have noticed that is prevented by the medium security setting. So, when I got there, I to into the firewall setting, temporarily lower the security level, update the clocks on the two computers (that's all he has connected), and then change the setting back to medium on the firewall. The gateway seems to work well enough for his purposes without putting a separate router on. He's short on space anyway.