Hardware firewall neccessary?
- Thread starter yuki
- Start date
But your built in one should be enough. 
kenny
Registered
Not sure I agree with you there... I think a hardware-based firewall/NAT is a much better solution than a software-based one, especially the built-in one on X.
First, a separate firewall/NAT will greatly obscure your machine from the internet, and may reduce the damage your machine may suffer if you are attacked. I've seen a number of unsuccessful attempts at my network in my NAT logs that I'm not sure I would have survived with the SW-based firewall. By "hiding" behind a NAT, your machine is never directly accessable (unless you set up port forwarding for specific services).
Second, the SW-based firewall in X is somewhat limited. It appears to only be able to control TCP port mappings(in the GUI), unless you're willing to work with the command line ipfw commands. Don't get me wrong, the ipfw command-line options allow very fine-grained control, but they do require a solid understanding of TCP/UDP/ICMP/IP networking protocols. Get it wrong, and you may leave yourself vulnerable.
Third, a separate firewall/NAT allows you to transparently run multiple machines from one public IP address. You can do this with Internet Sharing in X, but this would require that 1-your firewall let through anything that would need to be destined to an internal machine, possibly leaving the host machine open to attack (indeed, I'm not sure how that works, or whether theres a simple way to tune NAT in Internet Sharing), and it requires that the host machine always be running for the internet to be visible to the other machines.
Hardware-based firewall/NAT boxes are very inexpensive and most of them work out of the box, and offer a nice interface to reasonbly fine control of the settings. I've had good experience with the Linksys products, which start at around $50 (BEFSR11 @ amazon).
At any rate, I do agree that the worst thing to do is to run without one at all.
First, a separate firewall/NAT will greatly obscure your machine from the internet, and may reduce the damage your machine may suffer if you are attacked. I've seen a number of unsuccessful attempts at my network in my NAT logs that I'm not sure I would have survived with the SW-based firewall. By "hiding" behind a NAT, your machine is never directly accessable (unless you set up port forwarding for specific services).
Second, the SW-based firewall in X is somewhat limited. It appears to only be able to control TCP port mappings(in the GUI), unless you're willing to work with the command line ipfw commands. Don't get me wrong, the ipfw command-line options allow very fine-grained control, but they do require a solid understanding of TCP/UDP/ICMP/IP networking protocols. Get it wrong, and you may leave yourself vulnerable.
Third, a separate firewall/NAT allows you to transparently run multiple machines from one public IP address. You can do this with Internet Sharing in X, but this would require that 1-your firewall let through anything that would need to be destined to an internal machine, possibly leaving the host machine open to attack (indeed, I'm not sure how that works, or whether theres a simple way to tune NAT in Internet Sharing), and it requires that the host machine always be running for the internet to be visible to the other machines.
Hardware-based firewall/NAT boxes are very inexpensive and most of them work out of the box, and offer a nice interface to reasonbly fine control of the settings. I've had good experience with the Linksys products, which start at around $50 (BEFSR11 @ amazon).
At any rate, I do agree that the worst thing to do is to run without one at all.