Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Software Firewall

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 4 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      XIII
      last edited by

      Hi there,

      I was wondering if with PF, can one do away with a software firewall?
      Besides protecting you from software on the local computer and other users on the same network, is the software firewall needed? (Both home and work networks)

      Thanks

      -Chris Stutzman
      Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
      Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
      freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
      Check out the pfSense Wiki

      1 Reply Last reply Reply Quote 0
      • G
        Gob
        last edited by

        you definitely want both!
        somebody on your network plugs in a virus infected usb stick and without your software firewall you now have conficker or something similar running rife on your network.

        If I fix one more thing than I break in a day, it's a good day!

        1 Reply Last reply Reply Quote 0
        • X
          XIII
          last edited by

          I should of explained a little better, im thinking if you trust everybody or if theres very few computers. I know on a network where not everybody trusts each other or large one you do what both. Or should the same apply for both small and large networks? If so whats the best one to use in combination with pf?

          -Chris Stutzman
          Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
          Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
          freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
          Check out the pfSense Wiki

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by

            If you install PF on a full install (not nanobsd), and install squid/havp, the clamav antivirus should do a decent job protecting PCs on your LAN.

            1 Reply Last reply Reply Quote 0
            • G
              Gob
              last edited by

              even still, that only protects against internet bourne attacks ( and isn't 100%). I trust all of my staff but I don't expect the to have the same knowledge or respect of network security. that is what the attackers play on.

              what OS are your workstations running?

              If I fix one more thing than I break in a day, it's a good day!

              1 Reply Last reply Reply Quote 0
              • D
                danswartz
                last edited by

                Not sure I get your point.  If no virus/trojan can get in from the internet, how else?  I guess maybe someone bringing in an infected laptop or whatever.

                1 Reply Last reply Reply Quote 0
                • S
                  Supermule Banned
                  last edited by

                  Exactly or and USB stick…

                  @danswartz:

                  Not sure I get your point.  If no virus/trojan can get in from the internet, how else?  I guess maybe someone bringing in an infected laptop or whatever.

                  1 Reply Last reply Reply Quote 0
                  • G
                    Gob
                    last edited by

                    Viruses can still get past the PFsense protection (squid/havp). It is not infalible (even if you can get it working!). The biggest threat is from peapole bringing CDs, USB sticks & emails from home into the office.
                    I manage 42 pfSense boxes but we were let down when a client brought in a presentation on a USB stick, plugged it into one of our machines and conficker spread across 42 sites within 12 seconds.

                    We resolved that problem by tightening up our rules on the Windows XP firewall.

                    Home and enterprise are both vulnerable, it just takes longer to clean up the enterprise.

                    If I fix one more thing than I break in a day, it's a good day!

                    1 Reply Last reply Reply Quote 0
                    • X
                      XIII
                      last edited by

                      I have a lot of users who have software firewalls but just click allow everytime it asks them, so its useless for the most part.

                      For the following situations:
                      small amount of users (less than 12)
                      where the users dont have install rights (they are a standard user)

                      Or should i just go with my gut and use both and leave it up to the user and if the mess up the software firewalls settings then so be it and charge them to fix i (no matter the network size)?

                      OS that are in use are XP/Win7/Ubuntu

                      also i always use only full installs (snort/havp/squid), for mine I use both hardware and software firewalls.

                      @Gob should have used OpenDNS, they would have blocked DNS for your network and sent you an email about questionable network activity (at least thats what they claim)

                      -Chris Stutzman
                      Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                      Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                      freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                      Check out the pfSense Wiki

                      1 Reply Last reply Reply Quote 0
                      • G
                        Gob
                        last edited by

                        ah, sounds like you are referring to a software firewall blocking outbound requests if your users are getting prompted to allow exceptions (usually after software updates?)
                        you are right, these are pretty much a waste of tme unless you can prevent end  users from adding exceptions and you have the resources to add the checksums manually.

                        I would opt for just blocking inbound connections with a client firewall and use an AV product with decent hips detection. I find Sophos to be very good. your built-in windows / ubuntu firewalls should be fine for blocking your inbound traffic.

                        I found opendns to be unreliable at times plus my users didn't want the opendns branding In their browsers.

                        If I fix one more thing than I break in a day, it's a good day!

                        1 Reply Last reply Reply Quote 0
                        • X
                          XIII
                          last edited by

                          You can change the opendns branding with your own logo.

                          thanks for all the input.

                          -Chris Stutzman
                          Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                          Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                          freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                          Check out the pfSense Wiki

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.