Which Firewall to use? How to configure??

RickM · RickM's Garage

Hi all,

I have cable access to the internet at home. Goes from the modem to a Dlink DI-614+ (wireless accesspoint/router). I want to set up a firewall and from what I understand it's best to do it at the router/access point. I'd like to protect all PCs downstream of the Dlink unit and avoid overhead on each individual PC if possible.

But how do I configure? The manual is extremely vague and the website is just as bad. I understand how firewalls work from a theoretical standpoint but I'm stumped by how to configure this thing.

Anyone been through this? Any advice appreiciated.

tabascobobcat · tabascobobcat's Garage

I am using Easy Armour provided free from Road Runner.
Seems fine. No issues.
I un-installed the Norton's 2001 and many of my conflicts went away with it.

Bill Verburg · Bill Verburg's Garage

I agree, the Norton firewalls have way too many issues, Easy Armour seems to be the way to go, also most routers have a hardware firewall that works well.

widebody911 · widebody911's Garage

I use ZoneAlarm and MAC filtering with my DSL router.

Tishabet · 01-12-2005, 02:04 PM

Zonealarm pro, I love it

911S Targa · 911S Targa's Garage

I run a linksys wireless router, and use the firewall on that, which sets up its self, then I also use the Windows XP Pro's firewall.

id10t · 01-12-2005, 03:33 PM

Your DLink router/ap should do it for you, if even thru just using NAT. As long as you don't open any ports to forward services to your LAN, you'll be fine. Of course, you are still vulnerable to viruses, etc. from user action or an application exploit (like IE has happen all the time), but the worms like Blaster, Sasser, etc. won't be able to get in.

David · David's Garage

A little off the subject, but I just had another D-Link DI-624 wireless router go bad. Anyone else have trouble with these?

mikester · 01-12-2005, 05:09 PM

Okay - here's my suggestions...price not being a factor at all.

If your OS is Windows XP I suggest you use the firewall that comes with it OR Zone Alarm. Zone Alarm is a good product but requires some configuration which takes time and patients. Offloading the Firewall function to a hardware device is ideal but even if you do this with a dedicated firewall my suggestion would be to still run the XP firewall. If you need file sharing in your local network the XP firewall can accommodate this need.

An extremely good hardware firewall is made by Cisco, it’s the PIX 501 – I have one myself and I love it but it requires some expertise to configure and it is a bit on the pricey side even on eBay. If you know someone who is a Cisco reseller then you might be able to get one for ~$400 unless they get super discounts. The next stop on the firewall lineup would be one of Linksys (owned by Cisco) products that offers and integrated firewall. This is the most realistic solution and it really doesn’t need to be a Linksys product as their competitors do a good job for the home market as well. Belkin, D-Link, etc make decent products just stay away from the no name brands.

Let me know if you have any questions.

id10t · 01-13-2005, 05:24 AM

Of course, if you want to get really serious and geeky about it, just use a old PC (anything Pentium class, 32mb or more RAM) and run either Linux or BSD on it and use either iptables (linux) or pf (bsd). Of course, this will take some learning to get it configured right, but there are lots of dedicated firewall Linux distributions like smoothwall that make it really easy to do.

RickM · RickM's Garage

Thanks guys. I will attemt to allow the DLink to do an auto config.

Basically, traffic is allowed to flow out but is limited coming in through one or two ports...correct?

id10t · 01-13-2005, 06:28 AM

Correct. You don't even want incoming unless you are offering a service or doing stuff like p2p apps..

RickM · RickM's Garage

What about viewing sites, downloading software or watching racing clips? That's incoming isn't it?

cowtown · 01-13-2005, 07:27 AM

Quote:

Originally posted by RickM
What about viewing sites, downloading software or watching racing clips? That's incoming isn't it?

Anything that you've requested by clicking a link, etc, is let through, because you started the session.

I'm a big proponent of a hardware firewall at your broadband (DSL/Cable) connection PLUS a software product such as XP's firewall or Zonealarm on each box on your LAN (home network in this case). Zonealarm is nice because it monitors outgoing connections and asks if you want to allow them, until it learns what everything is. So if you have a Trojan on your PC, and it's trying to send something out, ZA will ask if that's OK, and you'll discover the Trojan.

One of my staff at work manages a Symantec firewall with about 250 clients, and some things do get through the first "layer" of defense sometimes. Sometimes it's user error, sometimes misconfiguration, sometimes a new exploit that is taking advantage of newly found weaknesses. It never hurts to have a software firewall picking up the slack.

Whatever you do, try going to www.spinrite.com after you are set up. They have a "port scanner" that will check out your firewall defenses and let you know (in somewhat over-the-top language) if you are letting bad stuff in.

Good luck!

RickM · RickM's Garage

Great info....thanks!