Hi all,

After writing this for posting, I see it is being indirectly discussed
near the end of another thread.

http://www.wilderssecurity.com/showthread.php?t=198186

Please move if appropriate.

Here's the question. My ISP-provided router contains a rules-configurable
SPI firewall. Based on what I've been able to understand from various
reading, since my machines are now at non-routeable IP addresses,
the firewall is pretty much unnecessary. If I were Major Financial, Inc.,
I might be worried about things like DDoS attacks, and feel the need
for the router firewall, but as a home user, such things don't
concern me (or should they?). So long as I do things like using a
complex router password, and turn off vulnerable stuff inside the
router like UPnP and remote configuration, the NAT function of the
router should be all that is needed. There is a light firewall running
on each computer, but that is mostly so I can check their logs to see
that nothing is getting past the router. My machines are not networked,
just using a switch/hub. The system is 100% wired.

So at any rate, right now I'm running the router barefoot.
Any comments from networking/firewall experts as to whether or not the
router firewall should be needed by a home user? If anything stated
above is incorrect, let me know, I'm still learning. Thanks.

~snipped quote~

What you've said is pretty accurate, but why turn OFF the SPI firewall functionality since you already have it?

-{ Quote: "What you've said is pretty accurate, but why turn OFF the SPI firewall functionality since you already have it?" }-

Hi Victek123,

Many thanks for the reply and confirming my understanding.

Other than doing everything possible to maintain a fast connection,
there is no reason for me to run without the router firewall.
There is a pre-configured "Low" setting rule-set, which blocks some known
attack types, but allows everything else. I suppose I should
set it there. I don't want to get into writing my own rules which could
interfere with router settings that might be specific to the ISP.

I have a Westell 6100 and it sounds very much like yours. I have set the FW to low and it is still coming up stealthed at GRC. I also disabled for a while to see if there was a speed increase. I did not notice any.

-{ Quote: "I have a Westell 6100 and it sounds very much like yours. I have set the FW to low and it is still coming up stealthed at GRC. I also disabled for a while to see if there was a speed increase. I did not notice any." }-

I also have a 6100, and come up stealth at GRC with both with the FW
on Low and with it off.

Try a custom scan on ports 2420 and 4567.

Behind NAT, it doesn't matter anyway, so long as the router config
password is strong.

Thanks.

yes, KEEP SPI active.

lots of worms(programs & people) attempt to fake tcp headers and send a packet that
looks like ANYTHING other than packet-sequence#1. Without SPI,
the router will just forward them; with SPI, it tosses it as not being
received in the right sequence.