[geeks] Firewall *needed* behind home (NAT) router

[Mike Meredith]

On Mon, 7 Feb 2005 23:56:43 +0000, Lionel Peterson wrote:
> While I plan to re-wire my network (and get rid of one 10base-2 coax
> line to the second floor), and upgrade my wireless APs to 802.11g, I
> wonder if it is worth adding a SunScreen firewall to my network. The
> only place the firewall makes sense is behind my router, and since
> nothing can get in (in theory), what is the point of the firewall?

I presume you mean nothing gets to initiate connections to inside the
hypothetical firewall, as stuff will certainly get in if you want to use
the Internet from the inside. At the very least, you can use this
firewall to block activity that you don't want ... for example SMTP from
infected Windows machines.

With a good enough firewall you can also do more exotic stuff such as
strip ActiveX chunks out of HTTP traffic, properly NAT protocols such as
H.323 and SIP, etc.

> Does a firewall make sense? 

It makes sense (at least to a paranoid firewall administrator like me).
The question is, is the administrative overhead worth it ? Perhaps not
for a simple home network.