Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Enthusiast Zone > Networking > Benefits of a Firewall over a simple NAT router ?

Benefits of a Firewall over a simple NAT router ?
Thread Tools
Sarc
Mac Elite
Join Date: Sep 2001
Location: Chile
Status: Offline
Reply With Quote
Apr 21, 2009, 11:42 PM
 
Just trying to figure ou the benefits of having a full fledged firewall between the internet and my SOHO network. Are there any real security advantages over just having a router NAT a single IP, making the network's client computers unreachable from outside the LAN ?

Thanks !
:: frankenstein / lcd-less TiBook / 1GHz / radeon 9000 64MB / 1GB RAM / w/ext. 250GB fw drive / noname usb bluetooth dongle / d-link usb 2.0 pcmcia card / X.5.8
:: unibody macbook pro / 2.4 Ghz C2D / 6GB RAM / dell 2407wfp - X.6.3
     
Simon
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status: Offline
Reply With Quote
Apr 22, 2009, 12:53 AM
 
You can punch holes into NAT from the inside. In fact, that happens quite frequently. Skype, iChat, etc. do it all the time.

A good FW gives you control over traffic in both directions. NAT does not make FWs superfluous.

That said, NAT is still better than nothing.
     
dimmer
Mac Enthusiast
Join Date: Feb 2006
Status: Offline
Reply With Quote
May 4, 2009, 09:01 PM
 
NAT does well for what it is designed to do (sharing one IP address with a number of computers) and it does, not by design, provide pretty useful security. But security was not the intent, and NAT has no concept of state -- so it's possible that an external source may gain a connection to your computer if it guesses the IP address and source port at the right time. As Simon noted, NAT also won't do anything to stop applications on your system from opening whatever ports they want, so potential malware problems are indicated.
     
gaming4fun
Fresh-Faced Recruit
Join Date: May 2009
Status: Offline
Reply With Quote
May 28, 2009, 01:05 AM
 
Having a PC dedicated to firewalling is able to handle DDoS attacks and won't get bogged down as soon as a router firewall.
     
Simon
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status: Offline
Reply With Quote
May 28, 2009, 03:03 AM
 
Most people (including SOHO users like the OP) should be more occupied with security than with defending against DDoS attacks.

I don't know about you, but I have never been subjected to a DDoS. I have however seen many break in attempts (ssh brute force mainly).
     
milhous
Mac Elite
Join Date: Sep 2000
Location: Millersville, PA
Status: Offline
Reply With Quote
Jun 27, 2009, 01:07 AM
 
currently, i port forward ssh from the router to my mbp (only computer) so that I can vnc to it from work over an ssh tunnel. but even with a strong password, i don't like the idea that the router is hitting the mbp directly from the internet. kind of wished i had an extra machine as an intermediary to act as a firewall.
F = ma
     
Cold Warrior
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Jun 27, 2009, 02:06 AM
 
Originally Posted by milhous View Post
currently, i port forward ssh from the router to my mbp (only computer) so that I can vnc to it from work over an ssh tunnel. but even with a strong password, i don't like the idea that the router is hitting the mbp directly from the internet. kind of wished i had an extra machine as an intermediary to act as a firewall.
Issue a certificate and disable username/password ssh login. This is very secure -- more than a login/password.
     
milhous
Mac Elite
Join Date: Sep 2000
Location: Millersville, PA
Status: Offline
Reply With Quote
Jun 28, 2009, 02:44 PM
 
Got any guides or links on how to do this?

By certificate. Do you mean generating a private/public key pair?
F = ma
     
Cold Warrior
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status: Offline
Reply With Quote
Jun 28, 2009, 05:45 PM
 
yes. I think it's ssh -keygen with some parameters. Best bet is to google for it and standard ssh setup guides, which often have subsections on how to set it up. The Ubuntu guides are great and are generally usable for OS X too if it's something like ssh (they both use openssh). Then you'll need to edit sshd.conf to disallow username/pwd logins. I recommend testing this locally on the LAN where you have physical access to the host machine in case the setup goes awry and you lock yourself out of the ssh host.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 12:26 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,