Firewall on gateway computer?

My wife is about to purchase a laptop which will be networked to my Mandriva
2006 system. She will be running Windows XP. Asking her to use Linux
would not be well received ( her Adult Education instructor hasn't heard of
anybody using it.)

I am looking at firewalling. If she had her own firewall - I used to use
ZoneAlarm - she wouldn't want to be troubled with the continual questions
that ZoneAlarm asks. I was thinking of a dedicated gateway computer
running for example, IPCOP, except that I don't want another box in my
room.

Any suggestions?

TIA,

Doug
--
When we want to read of the deeds that are done for love, whither do we
turn? To the murder column.
G.B. Shaw.

On Thu, 16 Mar 2006 10:15:21 +1100, Doug Laidlaw wrote:

> My wife is about to purchase a laptop which will be networked to my Mandriva
> 2006 system. She will be running Windows XP. Asking her to use Linux
> would not be well received ( her Adult Education instructor hasn't heard of
> anybody using it.)
>
> I am looking at firewalling. If she had her own firewall - I used to use
> ZoneAlarm - she wouldn't want to be troubled with the continual questions
> that ZoneAlarm asks. I was thinking of a dedicated gateway computer
> running for example, IPCOP, except that I don't want another box in my
> room.

It need not be a full size box. See below.
>
> Any suggestions?
>
> TIA,
>
> Doug
>
Note: Comment inline.

If you already have an local network in your house, then you should have
some sort of firewall in place between it and the internet. The new
laptop can join your local network. If you are concerned about adding
boxes, the best per watt firewall may be the DI-604 (or equivalent from
another manufacturer).

http://www.dlink.com/products/?model=DI-604
http://www.dlink.com/products/?model=DI-524

This firewall will protect from outside attacks, but will not stop the
laptop from being infested with spyware/viruses. You can run occasional
spyware scans using BartPE's bootable CD, with Ad-aware. IMO, this
should be an essential component of anyone fooling with Windows. This CD
at least gives you a chance to detect rootkits and _count_ the
multitude of "nasties" which are probably hiding on the Windows box.

More unsolicited advice: Make a baseline backup of the laptop for easy
rollbacks to a known good state. Also, ban IE except for connecting to
the Windows Update site.

There may be reasons why you want to use your Madriva box as a router
(machismo), but maybe the little boxes have their place, too. I use both
types: iptables on Linux and dedicated hardware firewalls.

--
Ripley: And you let him in.
http://us.imdb.com/title/tt0078748/quotes

Douglas Mayne wrote:

> On Thu, 16 Mar 2006 10:15:21 +1100, Doug Laidlaw wrote:
>
>> My wife is about to purchase a laptop which will be networked to my
>> Mandriva
>> 2006 system. She will be running Windows XP. Asking her to use Linux
>> would not be well received ( her Adult Education instructor hasn't heard
>> of anybody using it.)
>>
>> I am looking at firewalling. If she had her own firewall - I used to use
>> ZoneAlarm - she wouldn't want to be troubled with the continual questions
>> that ZoneAlarm asks. I was thinking of a dedicated gateway computer
>> running for example, IPCOP, except that I don't want another box in my
>> room.
>
> It need not be a full size box. See below.
>>
>> Any suggestions?
>>
>> TIA,
>>
>> Doug
>>
> Note: Comment inline.
>
> If you already have an local network in your house, then you should have
> some sort of firewall in place between it and the internet. The new
> laptop can join your local network. If you are concerned about adding
> boxes, the best per watt firewall may be the DI-604 (or equivalent from
> another manufacturer).
>
> http://www.dlink.com/products/?model=DI-604
> http://www.dlink.com/products/?model=DI-524
>
> This firewall will protect from outside attacks, but will not stop the
> laptop from being infested with spyware/viruses. You can run occasional
> spyware scans using BartPE's bootable CD, with Ad-aware. IMO, this
> should be an essential component of anyone fooling with Windows. This CD
> at least gives you a chance to detect rootkits and _count_ the
> multitude of "nasties" which are probably hiding on the Windows box.
>
> More unsolicited advice: Make a baseline backup of the laptop for easy
> rollbacks to a known good state. Also, ban IE except for connecting to
> the Windows Update site.
>
> There may be reasons why you want to use your Madriva box as a router
> (machismo), but maybe the little boxes have their place, too. I use both
> types: iptables on Linux and dedicated hardware firewalls.
>
Thank you. I am currently using a NetComm router for ADSL. It has NAT and
port forwarding, but doesn't claim to be a firewall. I have an old X686
that could be set up between the router and the home network (at the moment
it is just my Linux box.)

One retailer here still has the (superseded) Netcomm NB5880 (http://www.netcomm.com.au/Spec_Sheets/NB5580_info.pdf) which seems to be equivalent to the D-Link unit.

Doug.
--
Marriage has many pains, but celibacy has no pleasures.
-- Samuel Johnson (that conceited upstart.)

NAT is part of a firewall. It allows your private connections to get
translated to public IPs and keeps track of them to know to allow
responses back to you in, but it does not allow the other way around
(which is known as IP mapping or port forwarding or a variety of other
"cute" terms). One resource that I use to test a firewall is to go to
grc.com. Then follow links to ShieldsUp. This will port-scan your IP
and show you the status of your ports (Open, Closed, "Stealth" aka No
Response).

It should also be noted that Windows XP SP2 has a firewall built in,
that will most likely be sufficient for your needs.

X

On Thu, 16 Mar 2006 07:15:55 -0800, X wrote:

>
<snip>
>
> It should also be noted that Windows XP SP2 has a firewall built in,
> that will most likely be sufficient for your needs.
>
> X
>
I have recommended that the Windows OS be used only behind NAT when
connecting to an untrusted network. This is because of viruses like code
red, nimda, etc which can infect without any action on the part of the
user- a direct network connection is all that is required for infection.
The NAT layer takes that Windows off of the "front lines." This policy may
have some push back from the end users because they want to take
advantage of public wifi, etc.

A recent press release about MS Vista still claims this a a feature: "to
seek out other 'computers near me', and to seamlessly connect to them."
The correct answer is to sit (quietly) until the users specifically asks
for any external connection.

--
Douglas Mayne

> I have recommended that the Windows OS be used only behind NAT when
> connecting to an untrusted network. This is because of viruses like code
> red, nimda, etc which can infect without any action on the part of the
> user- a direct network connection is all that is required for infection.
> The NAT layer takes that Windows off of the "front lines." This policy may
> have some push back from the end users because they want to take
> advantage of public wifi, etc.

Exploits like those used in the viruses you mentioned affect open
(unfirewalled) ports. Agreed, it could be possible that Windows XP has
an exploit (sending a specific packet) that breaks the firewall. Linux
could too, I suppose, although it's not as likely, and neither of them
are particularly likely. The XP firewall only has the ports open that
you let it have open.

Also if you are using the XP firewall on the laptop and your Windows XP
computer has a public IP address, you will want to disallow (uncheck)
file and printer sharing (and probably anything else that's checked) on
that interface, but keep it on the private interface (with the Windows
Firewall, this can be set on the advanced tab) if you still want to
share files and be viewable on the local network, that is. If you
don't then just uncheck it altogether in the main tab. I doubt this is
the case from your comments. Your machines are probably both on a
private network behind a NAT firewall, so you should be fine.

> A recent press release about MS Vista still claims this a a feature: "to
> seek out other 'computers near me', and to seamlessly connect to them."
> The correct answer is to sit (quietly) until the users specifically asks
> for any external connection.

This is talking about a local network (hence, 'computers near me') that
you most likely don't have firewalled. If you have a firewall (even
the XP firewall) between yourself and the Vista computer looking for
you, then it will not see you unless you specifically connect to it
first.

X