Routers are not firewalls. If one port is open, you're not protected. I don't know what router you have, but some have some form of NAT which helps and/or a (mini) stateful firewall (like Cisco's).

It's good to put a router to offload your firewall, but it's not a firewall.

A lot routers have firewalls as well as mine does.

What do you define as a "firewall" here? AFAIK most routers have in "hardware":

-NAT
-port forwarding of all incoming ports blocked by default unless specifically enabled by port number/range to point to an individual LAN-side IP address/machine
-all outgoing ports go straight out
-no response to pings

Does this do everything that a software firewall does? Or do software firewall also catch stuff that's going out on unapproved ports as well as coming in? (Or am I talking crap here - I don't really do networks)

Well this what my netgear DG834G does

True Firewall with Stateful Packet Inspection (SPI) & Intrusion Control, Denial of Service (DoS), Virtual Private Network (VPN) pass-through

Still use a software firewall combined with this though.

Router: brick wall - you can make holes in it
Firewall: automatic sliding doors - it looks closed all the time but it will allow some stuff in (following your rules)

The Pit,

With my previous firewall I had *all* ports blocked unless said otherwise by a specific rule for a specific application.

That's the way any real firewall works: block everything unless specified.

If it doesn't, it ain't a firewall

And then there is everyone else, who doesn't want to spend 6 months configuring a complex peice of software to handle everything they do with the internet.

I use a linux box as a NAT gateway/semi-firewall. It does the job.

Why 6 months ?
Just say "block everything unless a specific rule exists" and then "ask me" for anything else.
Run all your networking applications and 2-3 hours later you can disable the "ask me" and be a happy.

Stupid ? Maybe.
Effective ? You bet !

Effective against what? Trogan software and viruses are much better dealt with by a good virus scanner. Incoming connections are much better filltered by a NAT gateway

This doesn't even begin to describe the basic problem that running your own firewall ussually is. Unless you are particularly careful in setting up your system, your firewall will run at the same permission level as your programs are. This means that the firewall will be trivial for any program who wishes to do so to defeat.

Then there is the issue of "ET Phone home" programs. If you have programs that do this on your system, that contact internet hosts for no legitimate reasons, you have a greater problem then just the "phoning home". If you can't trust a program to access the network, how can you trust it on your computer at all where it has access to all your data.

As for blocking ICMP echo requests, I can't really see where all the obsession over using that is. Granted, if you are being attacked with ICMP echo requests, it would be wise to block them. But other then that, ICMP echo is a useful diagnostic and should be left running.

Sometimes you can’t use HW firewalls in front of the PC.
In my case, I am a client in a bigger WLAN network (1.0 Mbps).
The ISP owns the server, about 3 Km away from me and I have only a connection from an outdoor antenna to my PC.
No way to insert a router.
The only way, except changing to ADSL/Cable, is:

---Antenna---Local Server PC with radio card----Router/Firewall-----Computer(s).

People here use this setting. But I can’t, yet.
ZoneAlarm works fine for me.

I Tried the Norton Internet Security 2004. What a system load, slow down…

Fred H

Tiny firewall runs as a service and controlls even the system trying to connect to the nic...

WinDVD and other proggies love connecting to the net for some reason, so I block them. Outlook express loves connecting to the net to show you rubbish someone sent in HTML, so I block all ports except for 25 and 110...

If I don't return pings, I'm simple not there... Ever thought about it ?
If in doubt, CNN and Yahoo don't (or didn't) return pings as well.

yup, NIS is a reeeking POS!!

Nope, any program running with adminstrator preferences can disable/remove any service it feels like.

Hmmm, thats actually not a bad use (outlook express). But if you are worried about html sent to you, it would probably be better to filter your inbound email to remove image tags.

Haha, of course your still there, and only the dumbest of people would think that you disappeared simply because you are not responding to ICMP echo. Putting your hands over your ears and shouting "I'm not hear, I am not listening" is not likely to be a significant deterrant to most hackers and hacking software.

The only reason big sites like CNN and Yahoo block pings is that icmp echo makes a simple way to do DOS attacks on large sites. On a normal users connection, there is no point because if the smaller connections we use a trivial to use any DOS attack on.

When was the last time you've monitored your inbound connections ?
When was the last time you've identified a port scanner probing your computer ?
I've seen it more than a few times. The good news on my side are that all those probes were left without answer, as if I'm not there.

About shutting down services, show me the trojan/virus that knows each and every firewall process to shut it down without the user noticing...

Once again, so far so good. If people use my computer and let sh!t like gator or whatever install itself, my firewall keeps it locked outside of the net so it can't grow or spam or do anything.
Once I change my firewall's status to "ask me", I see if there are any unwanted "guests" asking for permissions to do whatever so I I eliminate them with extreme prejudice.