How do Router Firewalls Work

Factual Questions
1

I have a phone line connection to a ADSL router. Looking through the settings on the router I see there is an option to enable Firewall and Intrusion Detection.

I have been using my current setup without problems for some time and rely on protection from Avira (free) and Outpost Firewall.

Should I enable the router Firewall and how does this work? My software protection updates for new threats on a daily basis how does this work with the router firewall or are they different things working in totally different ways?

:confused:

2

Definitely enable the router firewall.

The typical router firewall uses Network Address Translation to map the single public IP address to one or more machines within your network, and the firewall blocks direct access to any internal machines from the Internet.

For example, if your desktop machine is running Apache and has a web server running on port 80, nobody on the Internet will be able to get to the machine, but anyone else in your house hooked to the same LAN would be able to see your private web server.

This is better than a software firewall alone (IMO) since it is always there and you can then hook up things like XBoxes and iPod Touches on the wireless network and they will still be firewalled.

The software firewall is still useful: it helps you see when rogue applications (or even normal apps) phone home.

ETA:
Is your router a wired-only device or do you have wi-fi? What make and model is the device?

3

That.

Think of your PC as being in a room with an open door to the outside world. Youre software protection is like having guards examine everyone who attempts to enter the room. Your firewall protection is like slamming the door shut and locking it.

(Yes, I know that’s not totally accurate, but work with me here…)

4

…and I just realized that my earlier post may have implied that firewall protection is better than software protection. It isn’t - they’re just different. As a primitive example, your router firewall isn’t going to prevent you from opening an email attachment that contains a virus - but your software protection will/should.

5

Wetware protection is useful in cases like this, too. :stuck_out_tongue:

6

In simpler terms - A firewall prevents any internet communication that you(or a program already on your PC) do not initiate.

Your Virus Protection prevents the presence of malicious programs on your PC.

7

Most likely youre behind NAT anyway which acts as a defacto firewall. Simplified, a firewall blocks incoming connections. Try turning it on and see if you have any problems.

8

The annoying thing to me is that if I enable NAT on my router it won’t allow my daughter’s Wii to connect. I either have to keep turning NAT on and off whenever she uses the Wii (impractical, she uses it a lot) or be content with the lower strength firewall the router provides without NAT.

9

If your ADSL router is a real IP router (almost certainly not the case, but it is a good starting point), it relays packets based on IP addresses, using the internal and external addresses and a routing table. Assuming your internal network is a typical class C network (200.1.1.0/255.255.255.0)

PC 200.1.1.10 ------ 200.1.1.1 Router ISP supplied IP address -------{internet}

Packets from your PC get sent via the default gateway (200.1.1.1) which then knows the way to the internet via your ISP. As packets traverse gateways, they update their routing tables, so returning packets find the return path. Systems like this are somewhat exposed - any packet sent to a 200.1.1.x address will get to the router and on to the network. This gives an attacker the opportunity to probe systems within your network looking an exposed system to attack, and every system in the network would need firewall protection, and intrusion detection would be valuable.

However, your home network will not have a real valid class C network address - it will have a private address, probably class C (192.168.x.x). These addresses are non-routable on the wider internet - internet routers just drop these packets, since there are millions of home networks using the same addresses. To get round this, all home ADSL routers use Network Address Translation as a matter of course. NAT filters and rewrites network packets, so all requests from your home network originate with your ISP assigned network address. The router maintains a table that relates internal_address:_port information with external_address:_port information. So when you connect to straightdope.com:80 (http) from your PC, straightdope.com:80 sees a request from ISP_address:1001, and sends the response there. The router sees the response and translates it back to your PC. By managing the internal NAT table, the router can handle multiple internal private addresses. NAT systems are pretty safe by default, as an external system cannot route a connection to an internal system that has not already been established through the NAT table. The only known address (as far as the outside is concerned) is the ISP_assigned one on the outside of the router, and internal details of the network should not leak, and you are effectively firewalled anyhow. Some applications (like Skype) use NAT traversal techniques to allow peer-to-peer connections via NATted systems - Your PC establishes a NAT connection to a Skype server, as does your friend. Once both NAT connections are set up to the Skype server, the connection details are exchanged, and you can then connect directly to your friends NATted Skype connection without going via the Skype server, and they can connect back to you. This is a useful technique, but relies on a central internet server. My son uses Leaf VPN (which uses NAT traversal) to set up game networks with his friends, without me opening holes in my firewall - a big win.

All the Enable Firewall option does on a NAT router is enable additional rules editing, so that you can allow certain packets from outside to be directed to an internal address, or to block certain packets from going outside your network. So if you want your PC to host an internet playable game that uses port 9000, you create a rule that forwards incoming packets from port 9000 on the router to port 9000 on your PC. As far as anyone on the outside is concerned, the ISP_supplied address is listening on port 9000, and no further details of the internal addresses are required. This is less safe than NAT only, but if you are careful about what you expose, the risk is low. Of course, this is a manual process and can be hard for people to understand. Microsoft introduced a system called UPnP, which lets a Windows application automatically modify the router firewall with no security or confirmation - I hope you can see how bad this could be if a virus does infect your PC (it can completely open your firewall, and you would not know) - I would always disable the UPnP option on a router. You can also set the firewall to forward all or most of the traffic to an internal host (a so-called DMZ option). I use this to forward traffic from my router to my Linux server gateway, running a similar firewall as well as other external services - I only maintain a single powerful firewall on the Linux box.
The Intrusion Detection option monitors local traffic looking for suspicious traffic patterns - useful, but not generally necessary. You need to monitor the router to spot the alerts.

Your softwall firewall is different - it monitors your PC for active connections, and compares them with a database. This allows it to spot malware seeking to connect to control servers, or to ask your approval for new applications. It should also maintain information on applications, so if apps get changed, the firewall should alert you. Many firewalls maintain application proxies, so that web downloads and email can be scanned before execution/opening. A software firewall is as important as a hardware firewall, but for different reasons.

Si

10

What router do you have. My Wii works fine with NAT on my router.

11

It’s a Netgear Rangemax Next WNR834M with double firewall protection (whatever that may mean). I couldn’t get the Wii online at first, tried all the Nintendo troubleshooting suggestions, the final one was disabling NAT on the router. That did the trick. It’s an unsatisfactory ssolution but it beats explaining to my 13 yr old why she can’t get online with her Wii!

12

Thanks for all replies. Getting a bit technical but I’m trying to keep up :eek:

If it makes any difference my router is Xavi X7782r+ and use 192.168.x.x to access it.

I have XP Pro so can use UPnP

As I understand it the router firewall is really only necessary if I have a home network but as I am the only home user, hard wired no (Wifi thingy) there should be no problem leaving it disabled?

I have only one port open for Torrents and don’t do any on-line gaming so should be safe with my software firewall?

Just for experiment I’ll turn on the router firewall and see what happens

:slight_smile:

13

I personally won’t connect to the intwarnet (DSL or any hot connection) without a router/switch between me and the bad guys. I carry one in my laptop bag for on the road hard wire connections. I have many times only had one computter connected. it is really cheap insurance from bad stuff getting in. That with my paranioa about unknown email and web site dangers, I don’t get much bad stuff. I am just not a ‘clicky’ type of person. I am not that courious about unknow links.

YMMV

14

I was just looking at your router documentation and it appears that the dual firewall refers to a standard NAT firewall and a SPI firewall. The former is the “network address translation” thing referred to above by many; the latter is “Stateful Packet Inspection”—a more robust kind of firewall that looks inside the packets to decide what to do with them.

At first glance, it appears that the “firewall” you can enable/disable is the SPI firewall, which is a special feature not available on many home routers. If this is so, then the NAT firewall should still be doing fine.

You can safely live without the SPI firewall as long as the regular NAT firewall is still up and running.

You can test to see if you still are using NAT by checking your computer’s IP address: if it’s a 192.168.x.x or 10.x.x.x then you have NAT running since those two are designated as private network ranges.

There is no reason why the Wii should have any issues hooking up through your NAT router, though you might have to disable the extra SPI part. My nephew’s Wii functions quite nicely through two layers of NAT on my network (it’s a long story).

Could you link to the Wii troubleshooting steps you performed? And if possible, describe how you “disabled the firewall”?

And please do consider disabling UPnP. It’s purpose is to allow apps with fancy network config needs to tweak your router firewall on your behalf, to make installation painless, but it is naïve to assume that only good apps will use this feature.

15

So how does it work? My dad blocked nearly every website and it gets in the way of work, but he won’t debate it so I have come to you guys for help…

So far I have packet sniffed the router password to unblock stuff but he suspected I got in so he changed the pass and re-blocked the websites.
It’s hard to predict when to turn on the sniffer because I don’t know when he will log on and if I just leave the sniffer on the internet lags…

You may just say use a proxy, but that’s for internet browsing.
The NETGEAR FIREWALL blocks the websites even through apps, which you can’t use a proxy for… So any apps I want to use that contact blocked sites are broken.

So I am forced to find a new method…I suppose I really have to understand how the firewall works first right? Unless someone knows another way…

If you can help that would be very much appreciated.

16

Yes enable your firewall on your router and probably disable any software ones you have they are a waste of resourcees windows firewall and your roters should just be enough

17

Steve Gibson on UPnP and his freeware that turns it off painlessly.

CMC fnord!

18

That turns it off in Windows.

It is best to turn it off in the router firewall. Otherwise, other non-Windows devices can use UPnP to modify your router firewall settings.