|
|
Benefits of a Firewall over a simple NAT router ?
|
|
|
|
Mac Elite
Join Date: Sep 2001
Location: Chile
Status:
Offline
|
|
Just trying to figure ou the benefits of having a full fledged firewall between the internet and my SOHO network. Are there any real security advantages over just having a router NAT a single IP, making the network's client computers unreachable from outside the LAN ?
Thanks !
|
:: frankenstein / lcd-less TiBook / 1GHz / radeon 9000 64MB / 1GB RAM / w/ext. 250GB fw drive / noname usb bluetooth dongle / d-link usb 2.0 pcmcia card / X.5.8
:: unibody macbook pro / 2.4 Ghz C2D / 6GB RAM / dell 2407wfp - X.6.3
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status:
Offline
|
|
You can punch holes into NAT from the inside. In fact, that happens quite frequently. Skype, iChat, etc. do it all the time.
A good FW gives you control over traffic in both directions. NAT does not make FWs superfluous.
That said, NAT is still better than nothing.
|
•
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2006
Status:
Offline
|
|
NAT does well for what it is designed to do (sharing one IP address with a number of computers) and it does, not by design, provide pretty useful security. But security was not the intent, and NAT has no concept of state -- so it's possible that an external source may gain a connection to your computer if it guesses the IP address and source port at the right time. As Simon noted, NAT also won't do anything to stop applications on your system from opening whatever ports they want, so potential malware problems are indicated.
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: May 2009
Status:
Offline
|
|
Having a PC dedicated to firewalling is able to handle DDoS attacks and won't get bogged down as soon as a router firewall.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status:
Offline
|
|
Most people (including SOHO users like the OP) should be more occupied with security than with defending against DDoS attacks.
I don't know about you, but I have never been subjected to a DDoS. I have however seen many break in attempts (ssh brute force mainly).
|
•
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2000
Location: Millersville, PA
Status:
Offline
|
|
currently, i port forward ssh from the router to my mbp (only computer) so that I can vnc to it from work over an ssh tunnel. but even with a strong password, i don't like the idea that the router is hitting the mbp directly from the internet. kind of wished i had an extra machine as an intermediary to act as a firewall.
|
F = ma
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
Originally Posted by milhous
currently, i port forward ssh from the router to my mbp (only computer) so that I can vnc to it from work over an ssh tunnel. but even with a strong password, i don't like the idea that the router is hitting the mbp directly from the internet. kind of wished i had an extra machine as an intermediary to act as a firewall.
Issue a certificate and disable username/password ssh login. This is very secure -- more than a login/password.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2000
Location: Millersville, PA
Status:
Offline
|
|
Got any guides or links on how to do this?
By certificate. Do you mean generating a private/public key pair?
|
F = ma
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
yes. I think it's ssh -keygen with some parameters. Best bet is to google for it and standard ssh setup guides, which often have subsections on how to set it up. The Ubuntu guides are great and are generally usable for OS X too if it's something like ssh (they both use openssh). Then you'll need to edit sshd.conf to disallow username/pwd logins. I recommend testing this locally on the LAN where you have physical access to the host machine in case the setup goes awry and you lock yourself out of the ssh host.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|