|
Posted by Duane Arnold on July 13, 2005, 4:02 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Stephen P. wrote:
> Today I have finally joined the 21st century and switched from ISDN to
> broadband. All appears to be running fine, access wise.
>
> I have a Windows XP SP2 machine and a Windows 98 machine (primarily used
> for backups), these are connected via a (ISP supplied and configured)
> Thomson SpeedTouch 510 Ethernet Switch/Router/Hub/whatever, this has an
> 'integrated firewall'. The machines connect to the router via DHCP using
> an IP address range supplied by my ISP.
That is impossible. The computers are connected to the router and they get a
DHCP IP from the DHCP server on the router. They are called private LAN
side IP(s). The router itself is obtaining a DHCP IP from the ISP so that
your router can access the Internet and the machines connected to the route
using private LAN IP(s) can access the Internet through the router. The IP
from the ISP the router is using is called a public/WAN IP.
>
> The XP machine is running Windows Firewall (although since I stopped using
> dial-up it has, worryingly, stopped appearing in the system tray) which is
> 'On' and has ActiveSynch Application (my PDA), Connection Manager, File
> and Printer Sharing and SmartFTP as exceptions. Also under 'Network
> Connections' my 'Local Area Connection' is marked as firewalled. I think
> this seems secure?!?
You really don't need the XP FW, since the machines are behind the
protection of the NAT router.
>
> The Windows 98 machine has the freebie ZoneAlarm installed. However as
> there is only one connection - to the router - I don't seem to be able to
> win on whether to put this in the 'Trusted' or 'Internet' zone ;
You can put it there, because the router is there protecting the network.
>
> a.if in the trusted zone then my file sharing between the two computers
> works OK, but I am, presumably, less secure.
> b.if in the internet zone then my file sharing doesn't work - I cannot
> connect to the 98 machine from the XP machine.
Well, you either put the machines in the trusted zone of the PFW/packet
filter so that the machines can share resources or you disable the
PFW/packet filter, but since the machines are behind the protection of the
NAT router, either way, the machines are protected.
>
> I'm sure this is a REALLY common problem, with an obvious answer, but I
> don't know what it is ! As I see it I can either;
> a.Trust that the Firewall on the router is doing it's thing and leave the
> network connection in the trusted zone. The Router Firewall would *appear*
> to be working as ZoneAlarm has only reports 3 blocked intrusions - all of
> which were me on the other PC. But one of our network people at work said
> I should definately also install a software firewall ...... unfortunately
One installs a PFW/packet filer on the machine to stop outbound traffic from
the machine, since the NAT router for home usage doesn't have the ability.
> I'm on holiday all week, so can't ask him this one!
> or
> b.Add my IP range to the exceptions, but I'm unsure of the implications of
> this.
You should leave it alone.
> or
> c.Turn off DHCP and hardwire the IP addresses of the 2 machines, albeit to
> numbers within the same range, and then put these into the exceptions
> instead.
You should leave it alone.
> or
> d.Something else!!
You could use static IP(s) on the router.
>
> What is the correct solution? Many TIA.
(A)
The machines are protected by the NAT router until you start doing high risk
things with the router like using port forwarding opening inbound ports on
the router to a LAN/IP/machine.
All ports are closed on the router by default and the ports will only open
if a program running on the computer initiates outbound traffic to a remote
IP. If the solicitation is made to a remote IP, then the router will open
the required inbound ports, otherwise, all unsolicited inbound traffic to
the router is blocked, unless you open ports manually using port
forwarding.
http://www.homenethelp.com/web/explain/about-NAT.asp
http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp
Duane :)
| 
XML site map