Re: Incoming Calls, NOT!
Putting something in the DMZ does not make it appear to be outside the router. It's simply a way of port forwarding "ALL PORTS". It has nothing to do with the SPI firewall, or getting around it. DMZ is just a way to do port forwarding or port range forwarding when you don't know which ports to forward. Some say that it bypasses the firewall, but it's simply giving permission for the packets to enter. The IP address in the DMZ has to authenticate those inbound packets, or they are useless. But because you are giving permission for all packets to be forwarded, it could be seen as bypassing.
Firewalls do basically one thing. They block unsolicited incoming data. If you ask for it, a firewall is not going to help you. It will allow it in. That's why virus', trojans, malware, etc... are so tricky. If you receive a file in an email attachment, or you go to a website and accept certain conditions, then you have solicited and the SPI Firewall in the router is going to allow it to come in. With a true firewall (Free standing hardware) or a software firewall like zonealarm or black-ice, you can teach it and control it. A basic SPI firewall in a linksys type router is simply ON or OFF. Very few give you any real control. Real firewalls, and most software types also allow you control outbound traffic too. Some people don't think you need to worry about outbound because you wouldn't request to go some place unless you wanted to. Well, in many companies or those with children, you may want to control certain places they can't go to. But this is a secondary use for a firewall, and not what is of concern here.
I've had computers for more than 30 years. I can honestly say that I have been able to protect them, and have NEVER had an unsolicited entry from the outside. And I don't have the SPI firewall turned on in the router. I use the software firewall that comes with the operating system; e.g. windows or linux. I then usually have a secondary that is much more controllable such as Zonealarm or black-ice. Many SPI firewalls in routers, that are basic with little or no control, do in fact cause some problems with server type services like voip, web servers, gaming, etc...
As I mentioned above, a REAL NETWORK would never have such a thing as a router/switch/wireless/firewall/etc... combo device. For the majority of computer users, a combo router that we are talking about works flawlessly. Their computer use is very basic. For those who have a bit more complex network, including voip, intense gaming, servers, etc... they can use the combo type routers, but they need one that will do what they want, and they need to learn a little more about how to use it. For those who truly have a real network, (Not just multiple computers on the internet); but computers sharing with each other; web server; email server; game servers; file serving/sharing; etc... then the all in one combo router isn't the way to go. Actually; the router part is fine, but you would install separate hardware to different parts of your network. E.g. Hardware firewall, switches, static Public IP addresses; etc...
I always tell people to start off their combo router in a very tight mode with SPI on, no port forwarding, etc... You don't fix what isn't broken. When you have inconsistencies with servers; such as voip, the first thing you do is experiment using the DMZ. If that works, then you have a PORT problem. You DON'T LEAVE it in the DMZ. You figure out the ports you need and you forward those ports or range. Then turn off the DMZ. (Again, the DMZ is simply PORT FORWARD ALL PORTS). Nothing more. It's not outside your router. If you still have problems, and it isn't the ports, then you turn off the ALG. Then move on to turning off the SPI. Once you know what fixes the problem, you can address if you need that function for another part of your network. But no, you don't need the SPI firewall on your router if you have a decent software router. The software can actually be much better. But if a person thinks hardware is always better, you can buy a standalone hardware firewall. Turn off the SPI in the combo router so your voip is happy, plug the hardware firewall into one of the combo router's switch lan ports, then feed that to a switch for all your computers. Now you have the best of all worlds. Unless of course in your COMBO Router, you are also using that for your wifi. But that has a different set of protections and we don't have to discuss that here.
Last edited by christcorp; 02-11-2012 at 06:44 PM.
Mike
"Born Wild - Raised Proud"
Do you like your life? - Thank a Vet!!!
Bookmarks