I know - not a good thread title, but everything else I wanted to add was too long.
Here's the deal... I've got 5 machines plus a TiVo here in the house, and they all access the 'net via my Airport Extreme basestation (either wireless or wired via its LAN port). I've noticed over the last several days (as that's when I've turned the logging on) that I'm being port-scanned. While its probably mainly zombie PCs and Windows worms looking for a host, I still don't like the idea of being scanned on a regular basis.
As far as securing each machine, they all have firewalls (MacOS X's or Windows'; all except the TiVo I suppose) turned on, and all non-essential services are turned off. Basically, only one machine has AFP file-sharing enabled. All machines are behind the Airport's NAT system. Herein lies the problem...
The thing is, the Airport will acknowledge any (outside/public) ping request made to it, and when port-scanned, will return an open or closed response, indicating of course that at least some kind of machine exists here. MacOS X 10.4's firewall, on the other-hand, will ignore any request made to it (unless a specific port is open) via its "Stealth" mode.
So, am I better off letting hackers/worms/zombie PCs port-scan me all day (while I sit behind the NAT and each machine's own firewall), or would connecting one of my machines directly to the cable modem's WAN port and turning on stealth mode in the firewall (so port-scanners don't see any machines alive at my IP address) be better (then feeding 'net access back to the Airport via OS X's internet sharing)? Or, third option, should I buy some kind of hardware/router to go between the Airport and the cable modem - one that has a stealth function build-in?
Any thoughts??
Not trying to be paranoid... just prudent. Plus, I do have a Windows box in here :brink: hence the need for good security. And doesn't being port-scanned 24/7 result in some kind of network/cable modem service degradation??
Top
