Usually routers protect your network by virtue of the fact that (apart from pinholed traffic like your ssh opening) NAT stops incoming traffic.
Firewalls can do more than stop incoming traffic. Some firewalls, for example, stop outgoing traffic on certain ports or to certain addresses. This can stop or limit spyware and other "report to base" trojanny things. In other words NAT != firewall. But at the same time many, even most, people with a broadband connection successfully rely on nothing more. Of course that relies on your router not being vulnerable. Some are, the rest are too, but no one has found the vulnerability yet. Then again the vogons are going to blow up the earth on April 29 so who gives a monkey's! On Thu, 21 Apr 2005 04:22:51 +0100 (BST) Andrew Errington wrote: > I'm expecting the answer no. > > I have a 24/7 connection to the net. My router has port 22 open, and > that's all. Port 22 is directed to a server on my network, which has > sshd set up with various recommended restrictions in its config (such > as no root login, limited account names permitted etc.). > > I guess a firewall could protect other machines on the network, but > that's what the router is for. The other machines are laptops anyway, > so they need their own local protection as they may or may not be at > home. If I *did* have a firewall it would be on another machine, but > then, the router does that. > > Should I be running ipchains/iptables/whatever locally (on the server, > because it's on 24/7, and on the laptops because they might be plugged > in to someone else's network). If so, why? And why would I need that on > top of locking down sshd on the only open port? > > Comments please, > > Andy -- Nick Rout Barrister & Solicitor Christchurch <http://www.rout.co.nz> <[EMAIL PROTECTED]>
