Software firewall vs router

Posted:
in Mac Software edited January 2014
I had the OSX Firewall turned on because I have a cable modem.

I just bought a router to hook up my PC also. Since routers have built-in firewall can i turn off the Apple firewall? And also Winblows firewall too?

Comments

  • Reply 1 of 17
    Steve,



    I have a similar set up, i.e. my Mac and wife's PC sharing a cable connection via a router (used to be wired, but now we've gone Airport Express). We don't have the software firewalls turned on, the NAT on the router does a good job. We've never had any problems with things like Windows Messenger pop-ups on the PC.



    Hope that helps .



    Dave.
  • Reply 2 of 17
    Quote:

    Originally posted by steve666

    I had the OSX Firewall turned on because I have a cable modem.

    I just bought a router to hook up my PC also. Since routers have built-in firewall can i turn off the Apple firewall? And also Winblows firewall too?




    Routers do not necesarily have built-in firewalls - some do, some don't. More specifically, NAT is not a firewall.



    Generally, if your router has a SPI (stateful packet inspection) firewall and is capable of bi-directional rules, you can disable the software firewalls on your computers. A lot of people use both as they are not completely redundant.



    So, if the "built-in" firewall is NAT or does not allow for bi-directional custom rules, I would keep the software firewalls activated. Otherwise, it is up to you and how secure you want to be.
  • Reply 3 of 17
    NAT Routers all have firewalls built in, that is part of how NAT works, and for most people it will do everything they want. hmmfe is talking about features of more advanced (and processor hungry) features that expensive firewalls have. This is not necessary for home users, and putting bi-directional rules on another box is just begging for end-user difficulties. In practice is takes a lot more work (and a close network proximity) to break through a NAT system than crackers are willing to put in. It is far easier to use some sort of trojan to get in (why break in through the door when the window[s] is wide open?).



    One reason to possibly keep the firewall on on Windows is that if you have multiple Widows boxes on the same network it can sometimes prevent a virus spreading from one of them to the other. This is not a concern for MacOS X.
  • Reply 4 of 17
    steve666steve666 Posts: 2,600member
    Thanks all, the netgear router has complete firewall protection so I will turn off the software firewalls.



    Another question though-

    I notice the 'internet' light on the router constantly flickers, even when Im not on the net and when the computers are turned off-is this normal? The other lights stay on steady.



    Also, am I supposed to turn off the router when my computers are off?

    I noticed that the activity light on the cable modem went off whenever I shut down my Mac. However, after I shut off both the Mac and PC after connecting the router I noticed the activity light stayed on-is this because the router is on and is this a problem?

    Thanks
  • Reply 5 of 17
    Quote:

    Originally posted by Karl Kuehn

    In practice is takes a lot more work (and a close network proximity) to break through a NAT system than crackers are willing to put in. It is far easier to use some sort of trojan to get in (why break in through the door when the window[s] is wide open?).





    Karl & hmmfe, please let me know if I have this right.



    A non-stateful, NAT firewall, does absolutely nothing to deal with TCP hi-jacking?



    Which leads to question: how exactly does a stateful firewall handle this? I mean - a lot of work has to go into a hi-jack doesn't it? You have to spoof the IP of the previous external host, you have to sniff packets to get sequence numbers (all this considered, it's - as you mentioned - no surprise that your average cracker just avoids this route, and instead just throws out trojans and see's who gets infected).



    Anyway, if you wouldn't mind, please fill me in - if you can get all this stuff right (sequence & IP spoof) how can a stateful Firewall help you?



    OT
  • Reply 6 of 17
    Quote:

    Originally posted by OverToasty

    Karl & hmmfe, please let me know if I have this right.



    A non-stateful, NAT firewall, does absolutely nothing to deal with TCP hi-jacking?



    Which leads to question: how exactly does a stateful firewall handle this? I mean - a lot of work has to go into a hi-jack doesn't it? You have to spoof the IP of the previous external host, you have to sniff packets to get sequence numbers (all this considered, it's - as you mentioned - no surprise that your average cracker just avoids this route, and instead just throws out trojans and see's who gets infected).



    Anyway, if you wouldn't mind, please fill me in - if you can get all this stuff right (sequence & IP spoof) how can a stateful Firewall help you?



    OT




    Actually, NAT has to be stateful, otherwise you could never have two computers browsing the web through it. I didn't think that was important to the real conversation at hand... On replies it looks to the sequence number to help it decide whether to pass the packet along, and to whom. But as you pointed out, this does nothing to handle connection hijacking.



    Those types of attacks are very difficult to prevent, fortunately they are next-to-impossible to attempt unless you are on the same router as the victim (the firewall in this case), and most of the time you will just wind up filling the pipe with garbage, usually triggering dropped communication.





    steve666: Think of the NAT router as being a separate computer that is sharing "its" connection with the computers behind it. Thus it maintains a connection even when nothing is connecting to it. And the 'internet' light is just showing you all the traffic that is going back and forth on your shared cable connection. With cable you are actually sharing the bandwidth with all of your neighbors, and theoretically you could "sniff" their traffic. In that regard cable connections are a lot like everyone being on the same ethernet network, except it is slower and a lot better at handling long cable runs.



    Somewhere near you (within a few blocks probably) there is a "head end" where all of the signals are collected and then forwarded to your cable office. This is much like a ethernet router.
  • Reply 7 of 17
    Quote:

    Originally posted by OverToasty

    Karl & hmmfe, please let me know if I have this right.



    A non-stateful, NAT firewall, does absolutely nothing to deal with TCP hi-jacking?



    Which leads to question: how exactly does a stateful firewall handle this? I mean - a lot of work has to go into a hi-jack doesn't it? You have to spoof the IP of the previous external host, you have to sniff packets to get sequence numbers (all this considered, it's - as you mentioned - no surprise that your average cracker just avoids this route, and instead just throws out trojans and see's who gets infected).



    Anyway, if you wouldn't mind, please fill me in - if you can get all this stuff right (sequence & IP spoof) how can a stateful Firewall help you?



    OT




    Yep. non-stateful firewalls have little protection against spoofing since they mrerely verify port numbers and ip addresses (both source and destination).



    Stateful firewalls are more secure because they look at more than static port and ip information. One of the catch phrases nowadays is "deep packet inspection". These are gen2 SPI firewalls that look deeper into the packet to identify the "state".



    Stateful firewalls are not that expensive anymore (in the $80-90 range). Yeah, it's a bit more that basic routers, but I would not call them expensive.
  • Reply 8 of 17
    Quote:

    Originally posted by steve666

    Thanks all, the netgear router has complete firewall protection so I will turn off the software firewalls.



    Another question though-

    I notice the 'internet' light on the router constantly flickers, even when Im not on the net and when the computers are turned off-is this normal? The other lights stay on steady.



    Also, am I supposed to turn off the router when my computers are off?

    I noticed that the activity light on the cable modem went off whenever I shut down my Mac. However, after I shut off both the Mac and PC after connecting the router I noticed the activity light stayed on-is this because the router is on and is this a problem?

    Thanks




    You can leave the router on. I suppose you could turn it off, but there is no reason to. Activity could be normal depending on how you are connecting to the internet. Cable connections will always be chatty since you are in the same broacast domain as other devices so you will see chatter. Other types of connections will also have some "residual" traffic even though you are not online.



    Just out of curiosity, what model router do you have?
  • Reply 9 of 17
    Quote:

    Originally posted by Karl Kuehn

    NAT Routers all have firewalls built in, that is part of how NAT works, and for most people it will do everything they want. hmmfe is talking about features of more advanced (and processor hungry) features that expensive firewalls have. This is not necessary for home users, and putting bi-directional rules on another box is just begging for end-user difficulties. In practice is takes a lot more work (and a close network proximity) to break through a NAT system than crackers are willing to put in. It is far easier to use some sort of trojan to get in (why break in through the door when the window[s] is wide open?).



    One reason to possibly keep the firewall on on Windows is that if you have multiple Widows boxes on the same network it can sometimes prevent a virus spreading from one of them to the other. This is not a concern for MacOS X.




    If you want to believe that NAT is a firewall that okay with me. I think it would be more accurate to say that NAT provides a small bit of security as a by-product to it's packet manipulation. SPI that also allows for rules to be maually created is not processor hungry if it is on a dedicated device. They are not expensive either (although I guess that is a relative statement).



    NAT will not prevent a port scan, nor will it prevent DoS, SYN floods, or other common attacks. These are some of the things I would want in a "firewall".



    I guess we all have different notions of what security is.



    EDIT: To add that NAT does not look at sequence numbers at all. Specifically, since we are talking mostly about PAT, the NAT device maintains a table with port and IP address mappings to determine where to send packets to. If the computer sends a packet (say you are going to an web site), the NAT device will strip the source ip address and port # and create a table entry. The NAT device will then append its IP address and a pre-determined port # to the header (source) of the outbound packet. This information completes the adddress translation table. When a packet returns, it will have the destination IP address and port # in the header (the same as what the NAT device just appended). The NAT device will lookup the table entry that corresonds to this information and retreive the "real" ip and port information from the table. The NAT device will then send along out the appropriate interface. Normal ethernet/ip/tcp&udp processes will ensure that the packet arrives to the correct destination.
  • Reply 10 of 17
    steve666steve666 Posts: 2,600member
    Quote:

    Originally posted by hmmfe

    You can leave the router on. I suppose you could turn it off, but there is no reason to. Activity could be normal depending on how you are connecting to the internet. Cable connections will always be chatty since you are in the same broacast domain as other devices so you will see chatter. Other types of connections will also have some "residual" traffic even though you are not online.



    Just out of curiosity, what model router do you have?




    I have a netgear router. ts wireless although I am connected with wires because the imac and PC are right next to each other. Im basically trying to learn more about usinf winblows xp.



    Im also trying to send files from my mac to the pc so i can burn them onto a CD. My Mac doesnt have a CD burner.



    So far no luck. I turned file sharing on the mac, and the pc I set up a folder to sharen things with my mac but I dont see how to send a file over. In network on the mac I have 3 folders-home, workgroup, and local.Inside the home folder there is a pavilion icon so I thought I could just drag a folder onto it and it would show up on the HP, but no luck.
  • Reply 11 of 17
    Do you have SMB enabled and configured on your Mac? If so, then you should be able to access your windows share via "Connect to server".



    smb://computer_name
  • Reply 12 of 17
    steve666steve666 Posts: 2,600member
    Quote:

    Originally posted by hmmfe

    Do you have SMB enabled and configured on your Mac? If so, then you should be able to access your windows share via "Connect to server".



    smb://computer_name




    I turned on windows sharing, if thats what you mean.



    all I want to do is send over folders to the PC and burn a CD. I thought I did it right by turning on file sharing on one PC folder, but I dont know how to send it on over.
  • Reply 13 of 17
    Windows sharing allows you to access your Mac from your PC. With this enabled you should be able to go to your pc and enter \\\\mac_ip_address\\homefolder to access files in your home folder.
  • Reply 14 of 17
    steve666steve666 Posts: 2,600member
    Quote:

    Originally posted by hmmfe

    Windows sharing allows you to access your Mac from your PC. With this enabled you should be able to go to your pc and enter \\\\mac_ip_address\\homefolder to access files in your home folder.



    where do i enter that?

    and whats considered my home folder-is that everything on my hard drive? I want to transfer folders in 'pictures' to the PC
  • Reply 15 of 17
    Quote:

    Originally posted by steve666

    where do i enter that?

    and whats considered my home folder-is that everything on my hard drive? I want to transfer folders in 'pictures' to the PC




    You can enter that at a command prompt or directly into the run field from the start button.



    Your home folder is the one you see on the side-bar of your finder with the house icon. This is the default location for your save docs, music, pictures as well as your preferences and desktop.
  • Reply 16 of 17
    steve666steve666 Posts: 2,600member
    Quote:

    Originally posted by hmmfe

    You can enter that at a command prompt or directly into the run field from the start button.



    Your home folder is the one you see on the side-bar of your finder with the house icon. This is the default location for your save docs, music, pictures as well as your preferences and desktop.




    ok, Ill try it later. Now AOL has stopped working on the iMac. Tried reinstalling and everything but no luck. It happened after i installed aol on the PC. Its as if AOL now thinks I have a PC and wont work from the imac anymore. Bah!
  • Reply 17 of 17
    I have no idea really, but something feels funny when I read through this topic- shouldn't Windows simple file sharing be disabled, and you should use the File Sharing wizard and Network Configuration wizard to ensure the XP machine gets properly configured? An improper configuration could be the reason behind neither the Windows and Mac machine being able to "see" each other on your home network. Any thoughts on this by the networking gurus? Also be sure to verify DHCP is enabled in both machines. Then verify they both have chosen IP addresses that reside in the same network (most likely will be the same numbers in the first 3 parts of the address, and the 4th part different).
Sign In or Register to comment.