|
Is it safe to disable router's firewall?My computer is connected to the internet thrue a router atm
Router---Ethernet cable--PC and I have a laptop connected by the wireless signal from the router.
Would it be safe to disable the router firewall if both computers have a firewall installed on them? |
|
Its a SecretPlease speak into the microphone Premium Member join:2008-02-23 Da wet coast |
While this isn't an ideal situation, you could do it. Why do want to disable your router's FW? What kind of software FW do you run? |
|
EGeezer Premium Member join:2002-08-04 Midwest |
to aleshik1
If your systems and applications are properly secured and currently patched they would probably be safe on a router with a disabled firewall as long as your system firewalls are properly configured, active and not subject to vulnerabilities or DoS.
Personally, I like the router firewall - it eliminates the usual internet noise and wasted CPU cycles associated with firewalled activity. It also provides a second level of protection for the systems at the network perimeter when/if a system firewall shuts down abnormally or as part of an update process.
When/if you decide to shut down the router firewall, be prepared to see lots of messages and activity you hadn't been seeing. |
|
1 recommendation |
to aleshik1
Would it be safe to disable the router firewall if both computers have a firewall installed on them? The firewall is disabled on my router. I have not seen any ill effects. If you are using a standard NAT, then the most important part of the router firewall is actually a side effect of NAT, and cannot be fully disabled. Well, you can put one computer on the DMZ, which disables it for that one computer. If you don't put a computer on the DMZ, then your systems are still protected by the router even with the router firewall disabled. The router firewall typically deals with outbound packet filtering, and the inbound protection is part of NAT. |
|
|
|
to aleshik1
I've noticed with DD-WRT firmware that if you turn off the firewall (SPI), you turn off stealthing of ports, as reported by grc.com, for instance. It's controversial, I guess, but most people probably prefer being stealthed. I don't know if other router firmware behaves this way. |
|
1 edit |
to aleshik1
What type of router are you using? Is it stateful packet inspection or is just doing NAT and perhaps some static packet filtering? Keep in mind even if the router does claim to do stateful packet inspection that just means that they are performing stateful packet inspection for at least one protocol, it doesnt mean they perform stateful packet inspection for all protocols. If it is just doing NAT then some of your protection comes from you having a private address, however if the router supports loose source routing it is still pretty easier to get around the protection provided by NAT. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
to nwrickert
said by nwrickert:Would it be safe to disable the router firewall if both computers have a firewall installed on them? The firewall is disabled on my router. I have not seen any ill effects. If you are using a standard NAT, then the most important part of the router firewall is actually a side effect of NAT, and cannot be fully disabled. Well, you can put one computer on the DMZ, which disables it for that one computer. If you don't put a computer on the DMZ, then your systems are still protected by the router even with the router firewall disabled. Yep! Good explanation! said by nwrickert: The router firewall typically deals with outbound packet filtering, and the inbound protection is part of NAT. Assuming the firewall is SPI it will look at a little deeper into the packet then NAT, which is why the firewall with SPI in many cases slows down the router. For the average user I doubt this adds *any* measurable benefit. As to out bound protection, as you know, the router firewall will mostly block ports which adds a slight measure of outbound protection. But of course as you know, it can be bypassed by using remote port 80 on any system where web browsing is allowed. Just figured I add a little more detail, to your excellent explanation, for other readers. |
|
|
Just figured I add a little more detail, to your excellent explanation, for other readers. Appreciated. I have experimented with router firewalls. Output blocking can create subtle problems for yourself. The aim should be to keep the malware off my machine, not to allow it and and then block it And I concur on SPI, as used on typical home routers. The benefits seem minor. The firewalling that is part of the NAT functionality is already adequate for most home and small office users. |
|
spi @66.128.17.x |
spi
Anon
2009-Jan-23 11:33 am
Here is a quick grab of a paragraph off of wikipedia regarding SPI. This is important to note. SPI not only keeps track of sessions and will not allow random packets to be inserted into the stream it also watches for legitimate traffic establishing new connections coming back in such as with active ftp, etc. Before the advent of stateful firewalls, a stateless firewall, a firewall that treats each network frame (or packet) in isolation, was normal. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Modern firewalls are connection-aware (or state-aware), affording network administrators finer-grained control of network traffic.
The classic example is the File Transfer Protocol, because by design it opens new connections to arbitrary ports. FTP, among other protocols, needs to be able to open connections to arbitrary high ports to function properly. Since a firewall has no way of knowing that the packet destined to the protected network, to some host's destination port 4970, is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problem by maintaining a table of open connections and intelligently associating new connection requests with existing legitimate connections.
|
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
Modern NAT does a lot of that these days. Most implementations allow active FTP. NAT checks if a packet is part of an ongoing TCP connection from the (Port pair and IP) or if a UDP packet had been sent outbound to the IP from the port pair. The Netgear site has a good page on the added advantages of SPI. For the average individual, unless they are targeted most of these are not a major concern. Certainly for a major organization SPI can be helpful. Also if you have reason to believe you might be targeted for a DOS attack SPI would certainly help. » kbserver.netgear.com/kb_ ··· 1218.asp |
|
|
to spi
Here is a quick grab of a paragraph off of wikipedia regarding SPI. I am not denying its uses. For the typical home router, the main benefit of SPI is to the marketing department, which can make the router sound more impressive than it really is. For a complex corporate firewall, you really do need SPI. But management of such a firewall involves complexity beyond the ability of most home users and beyond the capability of most home routers. |
|
spi @66.128.17.x |
spi
Anon
2009-Jan-23 1:23 pm
Agreed. I just didn't want everyone to think that SPI had no benefit to the user. For the other reply NAT is a ip/port translation and should not be doing inspection to allow things such as active FTP to establish a NEW connection back into your network. Nat simply works with the IP/ports, for a router to realize it needs to allow a brand new connection from an outside host into an inside host it needs to inspect the traffic to see the agreed upon port that will be initiated back to the inside. They may market this stuff in a number of ways but if you go by the definition NAT does not do inspection or fixup or alg or whatever your vendor preferred term may be. |
|
spi |
to TheWiseGuy
I think you misunderstand how active ftp works. NAT does not handle active ftp by default. in active ftp the client establishes an outbound control connection to a ftp server which is allowed through the router and nat'd. The server replies to the request over the data channel and they agree on a port that the server can start a brand new connection to the client on. NAT will not know of this new connection and will NOT allow it. The port they agree upon is only mentioned within the data portion of the packet, therefore packet inspection must be done so the router can allow a newly established connection through to the correct host. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
I assure you I understand how active FTP works. An initial connection is made to Port 21 outbound. The Inbound return packet contains the port where the data connection will be established. You do not need to have an SPI FIREWALL, what the topic was about, for a modern NAT router to allow active FTP.
True, I said modern NAT when talking about FTP and probably should have said modern NAT routers. Still you could easily implement a sub-routine in NAT that checks if the remote is Port 21 and simply check the return packet as part of NAT without implementing a full SPI firewall, since active FTP is one of the oldest and most used protocols that require an inbound connection in response. |
|
|
to spi
SPI is not enough for active FTP. Rather, the router must monitor the data part of the packets to see what port is agreed to, create a special entry in its NAT table to handle that connection, and appropriately modify that data packet. Most home routers are designed to handle this.
Passive FTP will work without difficulty through a NAT router as long as no output blocking is being done.
If the FTP server is behind the NAT router, things are more complex and some home routers won't handle it properly. |
|
spi @66.128.17.x |
to TheWiseGuy
I guess where I am going with this is that by definition NAT alone cannot handle active FTP. In active FTP the server starts a new connection into the client and without some sort of packet inspection the router doesn't even know who to forward that traffic to. The traffic will be denied. Whatever you want to call this packet inspection that the router does to see that data port and know it is associated with the original outgoing ftp session is up to you but it is not NAT. BTW, you only described half of what an active ftp session does, you didn't even make it to the part that a basic router would have problems with. |
|
spi |
to nwrickert
I think that actually depends on who you ask. A lot of companies like to market it as a fixup, inspect, alg, etc. According to wiki it is part of SPI. I do agree with you though. Deep packet inspection must be done to determine this. We are on the same page and at the basic level I am sure you explain it much better than I do. It appears some think that NAT does deep packet inspection to know how to handle these types of traffic however if you go by true network definitions NAT does not do this type of inspection. As you said the NAT table may be updated but NAT itself is not responsible for the actual intelligence. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
to spi
said by spi :
BTW, you only described half of what an active ftp session does, you didn't even make it to the part that a basic router would have problems with. Huh, maybe you can not read. said by Me : An initial connection is made to Port 21 outbound. The Inbound return packet contains the port where the data connection will be established.
quote: Still you could easily implement a sub-routine in NAT that checks if the remote is Port 21 and simply check the return packet as part of NAT without implementing a full SPI firewall,
You do understand Active FTP enough to understand that the DATA connection is the part you say will have a problem, not the control connection. For you or anyone else that needs to understand active FTP see » slacksite.com/other/ftp.htmlNAT/PAT is Name Address Translation/Port Address Translation, you must modify the NAT/PAT tables to allow inbound traffic from active FTP. It does not need to be done by a stateful firewall. |
|
|
to Crypto_Bug
said by Crypto_Bug:...if the router supports loose source routing it is still pretty easier to get around the protection provided by NAT. Crypto_Bug, could you go into this a bit further? It's new to me, and the Wikipedia entry didn't help much. Do some SoHo routers have such an option? |
|
spi @66.128.17.x |
to TheWiseGuy
lol... you are explaining this to me and you call it "Name Address Translation". Man you need to get a refund on whatever certification you got... I agree with you, the NAT (Network Address Translation) table is updated but NAT is not inspecting the traffic to determine this information for itself. NAT is not responsible for inspecting this traffic and NAT alone will not allow this inbound traffic. NAT alone cannot handle this type of traffic.. Don't read anymore into it, that is all I am trying to say. NAT alone cannot handle this type of traffic. |
|
spi |
to TheWiseGuy
BTW since you brought it up NAT/PAT as you call it are not one in the same. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA 1 edit |
said by spi :
BTW since you brought it up NAT/PAT as you call it are not one in the same. Sigh I wish I could put anonymous trolls on ignore. I also wish the system were not all of a sudden informing me of every reply by an anonymous user. Actually, if you read Cisco » www.cisco.com/en/US/tech ··· 31.shtmlOverloading A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT. PAT is the name of a specific type of NAT. I'm done feeding the troll. You do not need a stateful firewall, which is what this topic is about, to do active FTP. |
|
spi @66.128.17.x |
spi
Anon
2009-Jan-23 2:50 pm
The guy that calls it Name Address Translation calls me a troll. Nice try...
You are correct you may not need what your router vendor calls spi for active ftp but you do need some sort of deep packet inspection which is NOT NAT. |
|
CB0 join:2008-05-02 Goshen, NY |
to aleshik1
You have a interesting question. I would have thought you were going to ask whether it was safe to turn of the firewall on the client machines connected to the router. If you keep the SPI firewall it might not hurt to do that. To turn off the router firewall though and leave the client software firewalls turned on could be hit or miss. I would say keep them both on but if you really want, disable the client firewalls since you're protected from the Internet through the routers SPI firewall. Not to say either method is 100% secure but surely better than nothing. |
|
ironwalker World Renowned MVM join:2001-08-31 Keansburg, NJ 1 edit |
to aleshik1
aleshik1 has not returned but I'd like to ask in case he does; Why do you want to? Is it slowing your traffic down? Is there some restrictions you know for sure is the firewall? What kind of router? Disable firewall permantly? |
|
rcdaileyDragoonfly Premium Member join:2005-03-29 Rialto, CA |
rcdailey
Premium Member
2009-Jan-24 6:26 pm
I work with a guy who has Verizon Business DSL and has a Westell 327W gateway. It is set to use the "typical" medium security in the firewall. I found that this setting prevents Windows from getting the time from internet time servers. Setting the firewall to minimum allows the time update. That's the only thing I have noticed that is prevented by the medium security setting. So, when I got there, I to into the firewall setting, temporarily lower the security level, update the clocks on the two computers (that's all he has connected), and then change the setting back to medium on the firewall. The gateway seems to work well enough for his purposes without putting a separate router on. He's short on space anyway. |
|