Can I totally disable a firewall on my router?

If it doesn' t have an option in its interface then DMZing to the computer is the next best thing.

One question: why?
 
By setting an address as the DMZ, you are effectively putting that computer on the internet with nothing in between, which sounds like what you want to do.
 
Wolf-R1 said:
Why the hell would you want to turn off your firewall??? :confused:
Click to expand...
Yea. You shouldnt do that.

Maybe he's trying to setup a server and wants to access it from outside the LAN. Then you just need to put it on the DMZ and forward the correct ports.
 
Scheizekopf said:
Maybe he's trying to setup a server and wants to access it from outside the LAN. Then you just need to put it on the DMZ and forward the correct ports.
Click to expand...

That is incorrect. Don't put it in the dmz, you want to just forward the ports
 
Malk-a-mite said:
Because it works the same as turning off the firewall to that computer.
Click to expand...
Yeah. So? I have my computer in the dmz right now and I am just fine.
 
theres no point in putting any machine in the dmz, just forward (unblock for nibs) the ports you require
 
jpmkm said:
Yeah. So? I have my computer in the dmz right now and I am just fine.
Click to expand...
It is just not good for security.

Port-forwarding allows the firewall to still do spi if you have it and allows access to the machine which is both safer and more secure.
 
I'm sorry, I'm not quite understanding the security aspect here. I don't have anything running on my computer that I wouldn't have to set my router to forward. If I have vulnerable software running, it's going to get hit whether I have the port forwarded or I have my computer in the dmz. What is the difference? Should I really trust the $30 box more than my computer?

The only bad thing I can think of by using a dmz is local file sharing. You most likely wouldn't want those ports open to the internet. It is quite trivial, though, to configure your software to deny all hosts and allow only those on the local network.
 
Grizzle said:
Dlink di-514

Can it be done?

If yes, how? The dmz?
Click to expand...


To address the original question, D-link has a very cool web emulator that allows you to see all the configuration screens for this router on their site. The part you are looking for is under the advanced tab, under Firewall. The first radio buttons listed are Enable or Disable.
http://support.dlink.com/emulators/di514_revc/adv_firewall.html

If all you want is to turn off the firewall that's what you need. I assume it's for a wireless router that is already behind some level of protection from the internet and that you are using either MAC filtering, WAP, WEP, or gang of ninjas to secure the device (or you are feeling extra nice and letting the neighborhood surf on your dime).

If you just want to have one machine free of the firewall rules, say for instance you have lots of problems with playing an online game, you can put that machine in the DMZ or use the application option for port triggering.
http://support.dlink.com/emulators/di514_revc/adv_dmz.html
http://support.dlink.com/emulators/di514_revc/adv_appl.html

If you want to turn off the firewall so that you can access machines inside your network from the internet I strongly suggest you use what D-link calls Virtural Servers.
http://support.dlink.com/emulators/di514_revc/adv_virtual.html
This will forward the correct ports to machines on your internal network.
 
jpmkm said:
I'm sorry, I'm not quite understanding the security aspect here. I don't have anything running on my computer that I wouldn't have to set my router to forward. If I have vulnerable software running, it's going to get hit whether I have the port forwarded or I have my computer in the dmz. What is the difference? Should I really trust the $30 box more than my computer?
Click to expand...

Since all the $30 dollar box does is work on routing and filtering, yes (debate about buying expensive vs. cheap goes here I know).

The question is if you can add a layer of protection to your computer would you? Packet filtering firewall is a layer of protection. If a month from now there is a new exploit in the wild and the IP scanners fire up looking for anyone running serviceX would you rather have a device that specifically blocks anything you didn't already allow to be forwarded or not?

There are 65k ports on your computer, you will be making use of around ~100 of them at any given time. Why have the other 64k+ available for checking if you don't need to?
 
Malk-a-mite said:
Since all the $30 dollar box does is work on routing and filtering, yes (debate about buying expensive vs. cheap goes here I know).

The question is if you can add a layer of protection to your computer would you? Packet filtering firewall is a layer of protection. If a month from now there is a new exploit in the wild and the IP scanners fire up looking for anyone running serviceX would you rather have a device that specifically blocks anything you didn't already allow to be forwarded or not?
Click to expand...
If I am running serviceX then it will be forwarded on my router. If it wasn't then I wouldn't be running it. I'd be screwed if I was forwarding it and I would be screwed if I was in the dmz.
 
The security aspect is thus;

Forward a port and have vulnerable software on that port then you may get hit there.

Put your machine in the DMZ and whether you know you have vulnerable software on your PC or not, you'll be hit... and it may be somewhere that you won't detect and/or know about right away.

It's like opening a peep hole (port forwarding) versus opening the whole door (dmz).
 
Suppose my computer is in the dmz, and it is running ssh server, apache, and vnc server. Other than those three daemons, how exactly will my computer get hit? I've always wondered this. Is it possible for somebody to do something to my computer not using a port I have open? I may be opening a door by putting my computer in the dmz, but there is a brick wall behind the door, and only a few bricks are removed.
 
Having a brick wall and a sand trap infront of the door that leads to the brick wall with a few bricks removed is still an extra layer of protection and, providing your scenario allows for it, a good idea.

The built in firewall support that comes with most flavors of Linux is generally top notch and nothing (no matter how much is spent on security) is ever truly secure; that is why having as many layers of protection is a good thing -- after all, chances are that the person with the short attention span trying to break into your network will give up if they break through one wall only to find another waiting for them. =)

It's not so much trying to make things secure as it is trying to make it not worth the effort these days.
 
jpmkm said:
Suppose my computer is in the dmz, and it is running ssh server, apache, and vnc server. Other than those three daemons, how exactly will my computer get hit? I've always wondered this. Is it possible for somebody to do something to my computer not using a port I have open? I may be opening a door by putting my computer in the dmz, but there is a brick wall behind the door, and only a few bricks are removed.
Click to expand...

That is only true if everything on your computer is perfect, from your configuration to every single piece of code. While your config could be perfect (mine never seem to be 100%, 99% maybe...) unless you both know what you are looking for and have checked the code (apps and OS) you can have a potential exploit.

If you have the time have a read through the bugtraq lists, everyday people find new holes in apps and OSes.
http://www.securityfocus.com/archive/1

EDIT: I think I'm just going to let Orinthical finish up this discussion since [he/she/it] is doing a better job of explaining it.
 
You must log in or register to reply here.
Back
Top