Re: Newbie Home Network/ADSL Router query.

"Stephen P." <stephen@nospamtla-net.demon.co.uk> wrote in
news:db3jro$96i$1$8302bc10@news.demon.co.uk:

> OK, thanks very much that all seems to make sense.
>
> Basically I'll just switch my network connection to 'Trusted' instead
> of 'Internet' in ZoneAlarm and I'll still be protected by the
> Firewall on the router. But I should leave the software firewalls in
> place a) 'cos they're not doing any harm and b) it validates/stops
> outgoing IP traffic.
>
> My network friend at work said the router firewall would not prevent
> port scanning (and some other stuff I can't remember). At least I
> think that's what he said!
>
> Re the DHCP; what I meant was my ISP told me what the IP range (for
> my internal network) would be, not that it was dynamically supplied
> by them over the connection. If that makes sense? So yes, it does
> come from the router, I guess I should have said "my ISP told me"
> rather than "supplied by". Also, if it is relevant, I can connect to
> the router (ping or browser) via a fixed IP address.
>
> Regarding the other discussion - I'm 98% sure my (hands off, user
> self installs everything) ISP would not support remote config, at
> least not deliberately ..... !
>
> Many thanks again.
>
> "Duane Arnold" <Notme@notme.com> wrote in message
> news:eWaBe.150490$_o.119292@attbi_s71...
>> Stephen P. wrote:
>>
>>> Today I have finally joined the 21st century and switched from ISDN
>>> to broadband. All appears to be running fine, access wise.
>>>
>>> I have a Windows XP SP2 machine and a Windows 98 machine (primarily
>>> used for backups), these are connected via a (ISP supplied and
>>> configured) Thomson SpeedTouch 510 Ethernet
>>> Switch/Router/Hub/whatever, this has an 'integrated firewall'. The
>>> machines connect to the router via DHCP using an IP address range
>>> supplied by my ISP.
>>
>> That is impossible. The computers are connected to the router and
>> they get a
>> DHCP IP from the DHCP server on the router. They are called private
>> LAN side IP(s). The router itself is obtaining a DHCP IP from the
>> ISP so that your router can access the Internet and the machines
>> connected to the route
>> using private LAN IP(s) can access the Internet through the router.
>> The IP from the ISP the router is using is called a public/WAN IP.
>>>
>>> The XP machine is running Windows Firewall (although since I
>>> stopped using
>>> dial-up it has, worryingly, stopped appearing in the system tray)
>>> which is
>>> 'On' and has ActiveSynch Application (my PDA), Connection Manager,
>>> File and Printer Sharing and SmartFTP as exceptions. Also under
>>> 'Network Connections' my 'Local Area Connection' is marked as
>>> firewalled. I think this seems secure?!?
>>
>> You really don't need the XP FW, since the machines are behind the
>> protection of the NAT router.
>>
>>>
>>> The Windows 98 machine has the freebie ZoneAlarm installed. However
>>> as there is only one connection - to the router - I don't seem to
>>> be able to win on whether to put this in the 'Trusted' or
>>> 'Internet' zone ;
>>
>> You can put it there, because the router is there protecting the
>> network.
>>>
>>> a.if in the trusted zone then my file sharing between the two
>>> computers works OK, but I am, presumably, less secure.
>>> b.if in the internet zone then my file sharing doesn't work - I
>>> cannot connect to the 98 machine from the XP machine.
>>
>> Well, you either put the machines in the trusted zone of the
>> PFW/packet filter so that the machines can share resources or you
>> disable the PFW/packet filter, but since the machines are behind the
>> protection of the NAT router, either way, the machines are
>> protected.
>>
>>>
>>> I'm sure this is a REALLY common problem, with an obvious answer,
>>> but I don't know what it is ! As I see it I can either;
>>> a.Trust that the Firewall on the router is doing it's thing and
>>> leave the network connection in the trusted zone. The Router
>>> Firewall would *appear*
>>> to be working as ZoneAlarm has only reports 3 blocked intrusions -
>>> all of which were me on the other PC. But one of our network people
>>> at work said I should definately also install a software firewall
>>> ...... unfortunately
>>
>> One installs a PFW/packet filer on the machine to stop outbound
>> traffic from
>> the machine, since the NAT router for home usage doesn't have the
>> ability.
>>
>>> I'm on holiday all week, so can't ask him this one!
>>> or
>>> b.Add my IP range to the exceptions, but I'm unsure of the
>>> implications of
>>> this.
>>
>> You should leave it alone.
>>
>>> or
>>> c.Turn off DHCP and hardwire the IP addresses of the 2 machines,
>>> albeit to
>>> numbers within the same range, and then put these into the
>>> exceptions instead.
>>
>> You should leave it alone.
>>> or
>>> d.Something else!!
>>
>> You could use static IP(s) on the router.
>>
>>>
>>> What is the correct solution? Many TIA.
>>
>> (A)
>>
>> The machines are protected by the NAT router until you start doing
>> high risk
>> things with the router like using port forwarding opening inbound
>> ports on the router to a LAN/IP/machine.
>>
>> All ports are closed on the router by default and the ports will
>> only open if a program running on the computer initiates outbound
>> traffic to a remote
>> IP. If the solicitation is made to a remote IP, then the router will
>> open the required inbound ports, otherwise, all unsolicited inbound
>> traffic to the router is blocked, unless you open ports manually
>> using port forwarding.
>>
>> http://www.homenethelp.com/web/explain/about-NAT.asp
>> http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp
>>
>> Duane :)
>>
>
>

If it were me, I'd change the password on the router if you haven't
already done so. Not that I don't trust them, but like the old saying -
"good fences make for good neighbors".
Received on Thu Sep 29 19:58:48 2005