[Dshield] Standalone firewall for ics at home
cef at optus.net
Wed Dec 14 01:47:14 GMT 2005
On Wednesday 14 December 2005 04:20, Benjamin Koch wrote:
> Off course - at every workstation is kaspersky av installed but i have
> a friend who uses a netgear router and he has problems with some
> trojans/viruses in fact of using the routers firewall. With my linux
> firewall i never had a problem with worms...
Not a suggestion, but some small advice:
In any router you check out, see if it supports UPnP. Where possible, disable
it unless you're really sure you need it. Even then, I'd still disable it and
only enable it when you really need it.
UPnP allows a machine to tell the firewall what ports to forward through. This
means that effectively if UPnP is enabled, and the machine behind it runs an
app that tells UPnP to open a port, said port will be live to the net. Of
course, this means that any app on the machine can (and will) effectively
bypass the firewall. I'm pretty sure some viruses, worms and even spyware
take advantage of this, which may be the reason for some of the problems your
friend with the Netgear is having.
Sure, this can break a few apps, but most stuff will work without a problem.
Anyway, you can always turn it on for those times you REALLY need it; just
remember to turn it off later.
Also, a firewall just stops things connecting to you, and depending on the
config, stops you connecting out. This doesn't stop viruses via email or the
web infecting your machine. If you can, I'd recommend at least blocking a
number of known ports from going out at all (such as 137-139, 445, etc) and
blocking connections out to some ports based on IP address (eg: only allow
machines behind the firewall to connect to the ISP's mailserver on port 25,
etc). This, at a minimum, stops a large majority of problems. Not as
effective as blocking all connections and only allowing select things though
(really the best policy), but it's better than just allowing everything
Lastly, unless absolutely necessary, disable remote configuration options, and
remember to change the default password (and username even if possible) on
the device. No use having a firewall if everyone can get into it using the
default password and fiddle with it.
Stuart Young - aka Cefiar - cef at optus.net
More information about the list