Firewall Recommendations for Home ADSL

rwyawe

New Member
Joined
May 23, 2011
Messages
4
Reaction score
0
Hello People

Could I get some recommendations for a firewall for a home adsl link?
Hardware device, software or just stick with the firewall in the ADSL router?

Thanks
 
Hello People

Could I get some recommendations for a firewall for a home adsl link?
Hardware device, software or just stick with the firewall in the ADSL router?

Thanks

Why are you looking for a firewall solution? What do you need the solution to do? Filter traffic? Throttle?
 
])ragon_\/oid;15922082 said:
Why are you looking for a firewall solution? What do you need the solution to do? Filter traffic? Throttle?
Exactly - how long is a piece of string...

If your needs are simple the netgears/dlinks us common folk use will work just fine

If you want multi-wan, fancy NAT rules and proxy/qos then look at pfSense + old pc and a few nics

If money is no object, look at sonicwall or fortigate :-)
 
You really don't need one.

By default all incoming traffic is blocked on ADSL Routers, so unless you switch that off or manually port forward something you won't have a problem.

If you want to get hardcore have a look at the free Sophos UTM Home Edition.
 
Use you adsl router's firewall, for fancy stuff look at a Mikrotik
 
I'd start by taking a look at your home router's external connectivity. Figure out your external IP address, then scan it from the internet. You may find that your admin interfaces are exposed, or a TR069 port is open, which increases your exposure to brute force attacks.

Secondly, check your router's interfaces for uPnP support. This can allow an attacker to open inbound ports using driveby attacks. i.e. you visit a web page, the web page includes some JS that runs in your browser that makes a request to the uPnP port on your router to open an inbound port. Turn it off if you can find it ;-)

Other than those things, most NAT devices are adequate for home use. If the router exposes no services, your exposure to attack is severely reduced. The fact that your internal addresses are being NAT'ed means that your internal devices cannot be directly attacked, unless you have port forwarding enabled for certain services (or DMZ settings enabled).
 
Worrying about uPNP really is paranoid.

It fixes more things for home users than it breaks. Just leave it on.
 

I know all about it.

My point was that every consumer device these days relies on it to setup dynamic NAT rules.

To break that is to break most "normal" people's lives.

Beyond that I've not personally seen a Router device in this country with Internet facing UPNP. I'm sure there are some, but to use a blanket statement and say everyone should disable it is silly.

Rather provide a list of vulnerable routers and avoid those.

Most implementations will simply open ports from INSIDE the network because a local device requested it, so that devices can port forward in from the outside.

Doesn't meant it's listening with UPNP in the Internet.
 
Last edited:
I know all about it.

My point was that every consumer device these days relies on it to setup dynamic NAT rules.

To break that is to break most "normal" people's lives.

Beyond that I've not personally seen a Router device in this country with Internet facing UPNP. I'm sure there are some, but to use a blanket statement and say everyone should disable it is silly.

Rather provide a list of vulnerable routers and avoid those.

Most implementations will simply open ports from INSIDE the network because a local device requested it, so that devices can port forward in from the outside.

Doesn't meant it's listening with UPNP in the Internet.

Perhaps that first link was not a great example of the risks of upnp. How about this one, then?

http://www.gnucitizen.org/blog/hacking-the-interwebs

Doesn't require externally accessible uPnP at all.
 
There's a fine line between security and usability.

If you want to be truly secure, plug out the network cable.
 
There's a fine line between security and usability.

If you want to be truly secure, plug out the network cable.

My Openwrt router has no upnp daemon/service running. Neither i nor my wife have any problems in our day to day surfing, etc.

Yes, I have added a single rule to allow inbound torrents, and configured my torrent client to use a static port. But that is it. Maybe gaming is a different story.
 
My Openwrt router has no upnp daemon/service running. Neither i nor my wife have any problems in our day to day surfing, etc.

Yes, I have added a single rule to allow inbound torrents, and configured my torrent client to use a static port. But that is it. Maybe gaming is a different story.

Try adding an Xbox or PlayStation to your network and it becomes infinitely more complex.

For just browsing, yes it won't do anything and isn't required.

When I still logged these things I never ever had such an attack. Millions of attempts against SSH and RDP ports though.
 
Top
Sign up to the MyBroadband newsletter
X