Why would you want to have a software firewall when you have a
router that has the firewall built in the hardware?
table, or PDF was removed because it will not display on your device. Check back on a PC....
With a hardware firewall you are limited with the 'rules' you
can use for connecting in to and out of your network.
Note: Having the router with a firewall on the
outside of your network has it's advantages, mainly the rule to "Block WAN
requests", which most software solutions do not have, and it isn't hackable!
Modern commercial small business/home routers (and some
cable/DSL modems) have additional options and features that help you keep your
internal network from being accessed by an unauthorized (hacker/thief) person
that would steal or do your data harm. They are not expensive so consider this:
"How much is your family/data's safety worth?"
Where as with a
and a proxy services you have more flexibility in creating your rules.
Software Firewall service:
The problem with a software solution is you need a computer
between your hardware router and your client computers. This computer is
normally called a Proxy Server.
How would you setup a 'Proxy Server'? Well it really isn't hard
Of course you will need a computer, the difference is in the
network cards or NIC's.
You will need two dissimilar NIC's.
By dissimilar I mean
two separate NIC's. Such as a 3Com and a Net Gear. This isn't important on the
surface but when you set up the network having dissimilar NIC's make identifying
the LAN side and WAN side of the proxy service easier.
Also you will need a program that is a proxy server, this
is the meat of the setup.
I have used Win Gate (by an Australian company QBik) for years and
am familiar with it's workings. It has a GUI (Graphic's User Interface) that
makes writing the 'rules' easier than some of the other proxy servers I have
Note: If you decide to use a program called Zone Alarm be
aware that the program is very invasive. It is an "All-In-One" type security
program and once installed it takes a lot of work to remove. In addition the
program is not as robust in that a single set of separate programs would
provide. If you like conflicts in your software programs this one is for you.
Other wise don't waste your time and money. Just sayin'...
So how do you setup your software firewall -
You have your computer and your NIC's, you can use any OS for
your computer if it supports two NIC's. I normally use a Server OS (Windows
workstation such as Vista or Win7 only allow for 10 consecutive connections, if
you need more than 10 connections to the Proxy computer then you will need a
have the OS loaded I suggest you name one NIC LAN (Local Area
Network) and the
other WAN (Wide Area Network) where the LAN is your network on your side of the
router and WAN is the connection to the router.
You give the LAN NIC an IP address that is on your local network
and you give the WAN NIC an IP address that the router supports. I do suggest
that you use static IP addresses.
On the LAN NIC you do not want to put in a gateway IP. On the
WAN side the gateway address will be the IP address to the router as assigned by your
Where the firewall comes in is the two network cards. The two
networks are physically separated with the two network cards. Data has to flow
from one network card to the proxy server to the other network card. You still
need the router for the hardware firewall that the software can not provide
specifically the Block WAN Request and will provide services for other
protocols like: IPSec, PPTP, and L2TP Pass Through. These are not
necessary protocols unless you are setting up a
VPN for your
users/employees to connect while on the road.
Test your connections, connect to the software firewall
- Proxy server from one of
your computers on the LAN side. From the proxy server connect to a web
site. If you have no problems connecting to and out of the proxy server computer
you are ready to install the Proxy service software.
Once you have your Proxy service software installed all that is left to
do is write the 'rules'. A 'rule' is broken down in to three parts:
Who can connect
Where they can connect to
The interfaces they can connect on.
Normally you would give all the users on your network access to
the World Wide Web, they would connect on the LAN NIC and the connection would
go out the WAN NIC. Also there may be additional parameters you can set, such as
time of day for the connection, a list of web sites or 'keywords' that are
restricted and the length of time for a connection.
A rule would look like this:
Sessions (Users): all
Bindings (LAN): 10.10.10.3
Interfaces (Wan): 126.96.36.199
Note: These settings are fictitious.
This works very well for programs like Net Nanny or business
that want to restrict users from surfing while they are at work.
The Gateway IP for the client computers, this is
the LAN IP of the Proxy Server. Now on the client computers you
need to setup the Gateway IP on the NIC that uses a static IP.
If you have a DHCP server check the
page (it will be called the Router in the Scope) for where to add in the
Add the gateway IP to any software that has an option for the
gateway IP and port. IE has this option under the Internet Options / tools /
connections at the bottom of the page. Other programs that access the internet
will have a Proxy service setting in the options or instructions on how to connect to a
This is the main reason a virus can not send your data to the
viruses originating computer (thief) or "call home", they are not gateway
address aware, having the programming in the virus to check if a browser is
using a gateway would make the virus larger and easier to detect.
If you travel you will want to enable the Windows
Software Firewall while on the road.