Announcement

**Gurm** · 28 September 2006, 17:18

Originally posted by Byock

Nat is good, but not fool proof by any means. I much prefer router/gateway firewall to a personal firewall. I run an OpenBSD box as my firewall behind the default linksys one on the DSL router. This way I don't have it slowing down my machine.

Better yet - NAT and a hardware firewall TOGETHER!

(Says me, while running a Symantec firewall until such time as I can scrounge up a Sonicwall...)

**Gurm** · 28 September 2006, 17:20

Originally posted by Taz

NAT offers some protection but only some, port forwarding and sticking a PC in the DMZ circumvents it. It also doesn't protect your from connections initiated from your LAN i.e. if your PC has a trojan or similar. Most routers and Windows XP's own firewall also make the assumption that all traffic initiated from the LAN is safe. At least with a software firewall you'd know if something was trying to get out. It's not full proof but it does add another layer of protection

Sure, but at what cost? You're duplicating work. You have an anti-virus program to make sure you don't get a Trojan... so why inconvenience yourself and burden your CPU further?

Define "only some" protection? Only open the ports you're using. *shrug*

**Gurm** · 28 September 2006, 17:21

Now, now, children. Let's play nicely. Gurm, consider yourself warned. No more personal attacks on the public forum. If somone offends you please contact an admin and we will deal with it. -Jammrock

**Gurm** · 28 September 2006, 17:23

Originally posted by The PIT

My own view is that they're fairly useless and just eat up resources.

Thank you.

As for been hacked behind NAT I'm sure you can if you're careless enougth.

Absolutely. Most people behind NAT just open port after port after port. People pick on UPnP, but honestly I love having a firewall that goes "oh yes Mr. Bitcomet, I can open that listening port for you no problem" and "oh, you're closing? Ok, I'll close that port now thanks!"

Most users using P2P do download stuff blindley even "so called experts" get tempted at times. If you don't believe me sit in our University Workshops cleaning Student machines you'll see how dumb most of them are.

No doubt. But we're talking about MURC caliber people here, right? For MURCers there's no point to running something that sucks that much life out of your system in order to protect you from yourself...

**Wombat** · 28 September 2006, 23:37

Software firewalls are pretty useless. IMO, they're only good for one thing: Telling you when something is trying to phone home (like WGA, or Sony's crap, or whatever). Otherwise, they're not going to help you. Shut down unnecessary services, don't use IE(using IE is like sharing needles. Eventually, you're going to catch something), don't use Outlook unless it's very controlled, and use a real firewall to block any vulnerable ports. NAT helps, AV software helps, software firewalls don't.

az · 29 September 2006, 01:37

If using IE is like sharing needles, is using a secure browser being addicted to heroin, but having clean equipment?

**Gurm** · 29 September 2006, 09:03

Originally posted by az

If using IE is like sharing needles, is using a secure browser being addicted to heroin, but having clean equipment?

Methadone.

az · 29 September 2006, 10:21

No, that'd be using the 'net with a porn filter.

**Taz** · 29 September 2006, 10:37

Originally posted by Gurm

No doubt. But we're talking about MURC caliber people here, right? For MURCers there's no point to running something that sucks that much life out of your system in order to protect you from yourself...

In which case none of us here need to use anti-virus programs either as we're not going to open attachments on strange emails, download dubious programs or visit dodgy websites

az · 29 September 2006, 11:46

That's actually correct. If you stick your stick in sombody elses port though, you should use virus protection. You never know where they surf or if their last virus scan is still accurate.

**Helevitia** · 29 September 2006, 12:44

Folks, nobody is truly secure. You can minimize problems by keeping everything up to date but their will always be a new way to circumvent a PC/network/router/switch/whatever...

There are new features out on the router/switch side(enterprise, ISP level) that will allow you to stop almost anything including zero day attacks. NBAR(Network Based Application Recognition) and FPM(Flexible Packet Matching) are two features that will help stop these kinds of problems at the ISP level and prevent the nastiest of problems coming to your PC. These features will help keep things to a minimum. I'm not sure these features will ever reach an end-user switch/router but I'm sure a simpler version may come into play.

FPM: http://www.cisco.com/en/US/products/...roup_home.html

NBAR: http://www.cisco.com/en/US/products/...roup_home.html

**Nowhere** · 21 April 2007, 13:05

Small follow-up/how it went:
For half a year I'm online, behind NAT in huge Uni network. Initially I used firewall integrated with Windows. However during a short experiment I noticed BT was faster without it, so decided to try...for few months I don't have any firewall. And Windows is completelly clean (yes, nevermind that it doesn't act suspiciously, I check it from time to time). So probably NAT is enough... (anyway, in this network of perhaps few hundred machines, quite a lot is infected/unpatched) ...at least when it comes to fully patched Windows 2003.

Announcement

Are personal firewalls snake oil?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment