[nath]

Hello,

I don't understand network security very well and was hoping someone could give me some advice. My setup...

Cable modem -> Airport Extreme -> G5 (wired via ethernet)
-> Airport Express (wireless)
-> Powerbook 1 (wireless via Airport card)
-> Powerbook 2 (wireless via Airport card)

Am I right to assume that the hardware firewall in the Airport Extreme base station is protecting my Macs, and that therefore there is no need to run the OSX software firewall on the individual Macs?

Also, should I activate port forwarding on the Airport Extreme for using Aquisition, Bit Torrent etc?

Thanks in advance for any help!

[ghporter]

The "hardware firewall" in the AirPort Extreme is something called "Network Address Translation" or NAT, and it isn't technically a firewall. It does hide what is on the LAN side of the AE, but it doesn't really do what you'd want a firewall to do. It's best to run the OS X firewall as well as using the NAT function of the AE. This not only makes it very hard for an intruder to locate or identify anything on your LAN (through the NAT function), it tells you when any apparent attack occurs and lets you decide what ports to open and what applications to give permission to use the network and Internet.

[nath]

Originally posted by ghporter:
The "hardware firewall" in the AirPort Extreme is something called "Network Address Translation" or NAT, and it isn't technically a firewall. It does hide what is on the LAN side of the AE, but it doesn't really do what you'd want a firewall to do. It's best to run the OS X firewall as well as using the NAT function of the AE. This not only makes it very hard for an intruder to locate or identify anything on your LAN (through the NAT function), it tells you when any apparent attack occurs and lets you decide what ports to open and what applications to give permission to use the network and Internet.

Many thanks.

Just to confirm - do you mean l should map the ports between the base station and the firewall on the individual computers, allowing me to still get decent download speeds from the apps mentioned?

It also appears that the AE will only allow a maximum of 20 ports to be forwarded. I need more than this - I don't suppose there is any way around it?

Thanks for your help.

[ghporter]

In most cases you don't need to forward ports as much as you need to open them in the affected computer's firewall. Blocking ports in the router (your Extreme box) is good for the ports you NEVER need, but ensuring that each computer has access to the ports it needs is where you begin to see a need for both port blocking (router) and port opening (firewall).

The best I can do without knowing what you're trying to do specifically is advise you to set up your AE to open all the ports you'll need an all your computers, and then use each computer's firewall to customize which ports it has access to.

[nath]

Originally posted by ghporter:
In most cases you don't need to forward ports as much as you need to open them in the affected computer's firewall. Blocking ports in the router (your Extreme box) is good for the ports you NEVER need, but ensuring that each computer has access to the ports it needs is where you begin to see a need for both port blocking (router) and port opening (firewall).

The best I can do without knowing what you're trying to do specifically is advise you to set up your AE to open all the ports you'll need an all your computers, and then use each computer's firewall to customize which ports it has access to.

It's mainly for Bit Torrent, which uses 9 ports. Port forwarding seems to require an entry for each individual port and each individual computer - i.e. you have to name the specific port on the AE (it's not possible to specify a range of ports) and the port on the desired computer and its IP address.

What I'm trying to say is that if I want to use Bit Torrent on both my desktop and a laptop, I will have to add 18 port forwards to the AE, leaving me only 2 for other purposes.

When you say "set up your AE to open all the ports you'll need an all your computers", where can I do this? I've had a look through the Airport Admin Utility and can't seem to find this option. It would certainly seem to solve my problem.


Thanks again for all your help!