[clairejr]

Hi,

I just got my ADSL connection and the phone company provided me with an ECI ADSL router/modem. I can browse the net without problems, but I can't access the router's IP address in order to enable/configure the firewall. The phone company told me that the configuration they provided me with doesn't allow me to configure the firewall (great!). Right now I'm using the OS X (10.2.8) firewall and a demo of NetBarrier, but I'd like to be able to use the router's built-in firewall and save the expense of buying NetBarrier. Any suggestions for what I should do to access the IP address? Do I need to disable NetBarrier first? Or should I just buy NetBarrier and feel secure with that? Thanks.

Claire

[ghporter]

The router's "firewall" is most likely Network Address Translation (NAT) which is minimal protection at best. Running the OS X firewall is probably far superior to usign what the router could provide. If you really, really want a router-based firewall, you can pay a lot of money for a real firewall in a router-type box, or not nearly so much for a basic wired router that will give you NAT. While a hardware firewall is nice, if you're concerned about the cost of NetBarier, then you probably won't like the cost of a hardware firewall.

Oh, and it is pretty easy for the phone company to NOT give you access to the router's configuration pages. It's also pretty smart; most customers would either screw things up or...well I guess that sums it up!

You could ask them to enable the router's firewall for you...

[clairejr]

Hi,

You could ask them to enable the router's firewall for you... [/B][/QUOTE]

Thanks, I'll give it a try.

Claire

[larkost]

ghporter: Calling a NAT "firewall" minimal protection is simply wrong. Getting a packet though a NAT firewall on an unsolicited connection is very very difficult, and spoofing in on an existing connection requires physical network proximity which virtually eliminates the problem for any group smaller than a mid-sized corporation (theoretically your neighbors could try... but it is generally easier to simply break in the door).

There are usually only two advantages to a full firewall on the security level:

Since it blocks outgoing packets as well as incoming, you can prevent spyware and unauthorized connections to the outside world. Since the former almost does not exist on the Mac platform, and configuring for the latter is simply beyond the needs of a typical home user this advantage is moot.

You have logging, and can try and track-back any break-in attempts. Once again, this is far beyond the level of home users.

Executive summary: Anyone who tells you that a NAT-based hardware firewall is not enough security for Mac computers does not know what they are talking about, and are probably trying to sell you something you don't need.

[ghporter]

Originally posted by larkost:
ghporter: Calling a NAT "firewall" minimal protection is simply wrong.

Executive summary: Anyone who tells you that a NAT-based hardware firewall is not enough security for Mac computers does not know what they are talking about, and are probably trying to sell you something you don't need.

I know that in practical cases a NAT box is more than adequate. But the first time I tell somebody that it's enough, I'll be sure to get a thousand "network purists" responding that NAT isn't enough because...'enter your particular personal peeve here.'

In the Windows world it's pretty good too, but there are some situations where it's just not adequate for either a Mac or a Windows box. Hosting ANYTHING makes the NAT option moot, since you have to bypass some or all of the protection to expose the server to the Internet. In some high-speed cable Internet situations, an attacker on the same branch of the cable system could use various tools to figure out the NAT scheme and target a computer behind the router as well.

So, instead of saying "don't worry about anything with a NAT router," I said "a NAT router isn't going to do what the OS X firewall will," because it isn't a real firewall. Not all NAT boxes offer logging, nor will some of them block inbound and/or outbound ports. (If you get the impression that I've had my nose rubbed in the failings of NAT, you're right.)

I still feel that the OS X firewall as a firewall offers substantially better protection than just a NAT box, but having both is much better. I do that with all my home machines though I do not use the default Windows XP+SP2 firewall on my Windows machines; I've replaced it with Symantec's Client Security Firewall which does far more.

[clairejr]

Hi,

Thanks to everyone for your advice. After reading answers here and on other forums, I solved the problem. I set my network to "Automatic" and then DHCP and entered the IP address the phone company gave me. For the Subnet Mask I had 255.0.0.0 and the router's address was 10.0.0.138 (not the address I have now with PPPofE enabled). I was then able to access the router's IP page and made sure the firewall was enabled. After that I went back to the settings I had for my ISP (I had saved it as a new location) and now everything seems to be working fine. I probably have one of the most secure systems on the net with the router firewall enabled, OS X's firewall on, and the demo of NetBarrier on - a perfect set-up for a slightly paranoiac user -.

Claire