Running without a software firewall

But I use a DDWRT router. What kind of issues can this cause?

 

No outbound protection.

 

You don't get that with Win7's firewall though.

 

Yes you do, with Advanced Security.

 

Yea, but 90% of users don't know how to set up W7 advanced security. I would say if you are the only machine that is behind your router, then you can go without a software firewall. But if you have other machines behind the router with you, then you still need protection from them, in case one or all of them become infected.

 

No issues whatsoever, except of course no outbound application control, so if that's important to you, then you may want to keep it, or better yet if running Vista or Win 7, use the excellent built-in fw with advanced security. A bit painstaking to set up but well worth it in the end. You will eliminate potential conflicts that a software fw can introduce.

There's a nice tutorial by member Stem in the Firewall forum.

 

I don't understand, do hardware firewalls like a router just go by blacklists?

 

One of the main problems (putting aside a possible infected system), can come from windows services that may make outbound to WAN. A router will simply allow the outbound and allow in any replies, which is not good.


- Stem

 

How does the router configure for inbound?

 

No.
By default a router uses NAT http://en.wikipedia.org/wiki/Network_address_translation
Depending on the firmware installed, there will be internal settings in the router for various options, some, you can add packet filtering rules, others may just have an option to enable "SPI firewall"

Inbound replies are automatically allowed by NAT, or filtered by rules/SPI. For unsolicited inbound (for a game server or for inbound to P2P) then you would need to set "Port forwarding" in the router settings (http://en.wikipedia.org/wiki/Port_forwarding)

For DD-WRT, see instructions for firewall and port forwarding:- http://www.dd-wrt.com/wiki/index.php/Tutorials


- Stem

 

I'm surprised with the answers (except Stem's).
A router is not a hardware firewall. It functions like one because it blocks non solicited inbound trafic but it is not a firewall.
That said, you will always need a software FW in order to control how programs access the Net.
If you don't want to configure one just let Windows FW on. It won't nag you, it won't slow you down, you won't notice it's there.

 

What about a Modem/Router with NAT and SPI (Stateful Packet Inspection) firewall?

 

A separate router or hardware firewall is not application aware. It can't tell if outbound packets are from your browser or a trojan. When you need to allow inbound for an app or game, the separate firewall/router can't determine if that traffic is going to the game or something else. The confusion comes from both types being referred to as firewalls. The easiest way I can think of to make the difference easier to understand would be this. Hardware firewalls and routers protect and control traffic to/from your local network, which your PC is a part of. Software firewalls control traffic in and out of individual PCs, both on a system level and on a per application level. Whether you need a software firewall depends on just how important it is to you to control traffic in and out of your individual PCs.

 

That is actually great, a hardware firewall can not be fooled, it can not be disabled, it never crashes, it just works, it blocks open ports, an unsolicited traffic, some attacks.
I also use only a router and no software firewall, I did not use one even when I did not have a router. As long as there are no open ports, any firewall or router is "useless".

 

Simply not true for the majority of home-class routers.

 

This ^

I've only used windows firewall + Linksys router with my cable internet.

 

Well, I guess the NAT firewall, that is fully stealthed in my router, doesn't exist?

 

Explain to us your definition of a firewall then.

 

Most Routers (or at least around here) these days .. and for some time now has at least a basic form of packet filtering, so when we refer to a Router, we refer to a Firewalling device.

However .... Wiki - “A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications”

Also remember that a Router isn’t much without the firmware that runs them, just because you see a hardware device, that they are all flawless, go to the product manufacture website and view firmware change-logs.

 

A firewall will monitor traffic based on a set of rules. That goes to all traffic (what some FWs call Global Rules) and particular traffic (what some FWs call Application Rules).
A router will block global incoming unsolicited traffic (only what is the response to a request that originated in your machine will be allowed, for ex. when you want to open a site).
But a router doesn't monitor how programs access the net; that is the work of a software FW. Any of us who configured Utorrent rules in our resident FW will understand this.

Tu put it plainly: if your connected through a modem the software FW will do all the work including stopping intrusion atempts (which will reach your machine). When you add a router intrusion atempts will be stopped before they reach your LAN (they will stay "outside").

Remember as well that a router's main function is to distribute the signal between several machines. The blocking properties is a consequence of this.

 

Application awareness was something introduced to firewalls, but not something that defines it...

 

I'm still confused honestly. How do hardware firewalls work as opposed to software firewalls? With software firewalls it seems like there has to be user interaction but with hardware firewalls there obviously isn't.

When I talk about a hardware firewall I am specifically referring to the ones in routers.

edit: So, basically, do firewalls just say "OK, there was an outbound request for this information so I'll let this inbound request through." ?

 

Hardware firewalls previously was all about user interaction, except if all you ever do was surf the web and check / send e-mails. And still... you may need to interact, depending on some factors.

Most Home Routers, they have, at minimum the most basic form of firewall security. They at least filter by inspection of the header of each incoming and outgoing packet for user-defined content, such as an IP address or a specific bit patterns.

 

I see. Thanks.

 

Like most good third-party router firmware, DD-WRT has iptables as it's firewall:

http://www.dd-wrt.com/wiki/index.php/Iptables_command