PDA

View Full Version : (a bit OT) firewall in the router (was "Squeezebox2")



Ken Hokugo
2005-03-09, 09:51
Dean or anyone,

Would the firewall feature in these routers (wireless or wired) be good
enough so that I can get rid of Zonealarm Pro which contributes 10 to 15%
more of CPU usage when playing Slimserver? If I could get rid of the sw
based firewall, that would be great.

I have never tried the firewall in my current wireless router (D-Link) as
when I tried it once, internet connection was just totally shut down (I was
too laze to explore as I have Zonealarm already). Any tip to use this
feature would be much appreciated also.

Thanks in advance.

Ken

From: dean blackketter <dean (AT) slimdevices (DOT) com>
Reply-To: Slim Devices Discussion <discuss (AT) lists (DOT) slimdevices.com>
To: Slim Devices Discussion <discuss (AT) lists (DOT) slimdevices.com>
Subject: [slim] Squeezebox2
Date: Wed, 9 Mar 2005 07:57:26 -0800


On Mar 9, 2005, at 7:05 AM, Ken Hokugo wrote:
>PS: will somone point me to the "right" 802.11g wireless router? I have to
>get one first.
>
I've been really happy with my Belkin Pre-N router, the improvement in range
using the MIMO technology is impressive. I was able to take down three
access points scattered around the house and replace it with one Belkin in
the basement for significantly improved range/performance.

Not cheap ($129USD) but highly recommended.

ron thigpen
2005-03-09, 10:05
Ken Hokugo wrote:
> Dean or anyone,
>
> Would the firewall feature in these routers (wireless or wired) be good
> enough so that I can get rid of Zonealarm Pro which contributes 10 to
> 15% more of CPU usage when playing Slimserver? If I could get rid of
> the sw based firewall, that would be great.

the short answer is that there is good reason to use both the features
of your router firewall at the network edge, _and_ software protection
on the machines inside your LAN. the reason is that each can protect
from different threats.

the edge firewall will close off ports, can drop packets for some well
known attacks (SYN, et.al.) and just generally keep net-scanners at bay.

the s/w firewall can do some or all of the above, but also protect you
from downloaded components that may be trying to send data. zone alarm
pro is particularly good at this. it can also help keep a virus from
spreading inside your LAN.

as far as the CPU issue with ZAP, have you tried making configuration
changes that might keep it from inspecting the SS/SB packets so
aggressively? i don't have any specific recommendations off the top of
my head, but i do know that ZAP has some very granular settings for
trust that can be based on program, IP, port, protocol, etc. i'd guess
you could get it to stand down somewhat w/r/t this traffic.

--rt

Phil Karn
2005-03-09, 20:35
Ken Hokugo wrote:
> Dean or anyone,
>
> Would the firewall feature in these routers (wireless or wired) be good
> enough so that I can get rid of Zonealarm Pro which contributes 10 to
> 15% more of CPU usage when playing Slimserver? If I could get rid of
> the sw based firewall, that would be great.

A particularly powerful and flexible firewall is a Linux box with
multiple Ethernet interfaces. If you'd rather not dedicate a full-blown
PC to the job, Soekris Engineering (www.soekris.com) makes a line of
single-board PC-compatible machines specifically designed as network
engines. They come without any software, so you have to roll your own,
but there are many people who can help you.

I have a Soekris net4801 acting as my primary router. It provides QoS
(Quality of Service) in the upstream direction to my DSL line, along
with DHCP, IPv6 routing/tunneling and IPv4 NAT for any local machines
that need it.

Except for the filtering inherent in a NAT, it doesn't actually filter
any packets because I basically don't believe in firewalls; I'd much
rather just keep my individual machines as secure as possible.
Basically, that means banning anything and everything from Microsoft;
we're in the process of getting rid of the very last Windows machine on
our network (my wife's desktop) and replacing it with an iMac. The
combination of Mac OS X on the desktop and Linux on servers can do
pretty much everything Windows can do, and do it a whole lot better and
with far better security.

Phil

Jack Coates
2005-03-09, 21:21
Phil Karn wrote:
> Ken Hokugo wrote:
>
>> Dean or anyone,
>>
>> Would the firewall feature in these routers (wireless or wired) be
>> good enough so that I can get rid of Zonealarm Pro which contributes
>> 10 to 15% more of CPU usage when playing Slimserver? If I could get
>> rid of the sw based firewall, that would be great.
>
>
> A particularly powerful and flexible firewall is a Linux box with
> multiple Ethernet interfaces. If you'd rather not dedicate a full-blown
> PC to the job, Soekris Engineering (www.soekris.com) makes a line of
> single-board PC-compatible machines specifically designed as network
> engines. They come without any software, so you have to roll your own,
> but there are many people who can help you.
>

http://leaf.sourceforge.net provides a number of very nice pre-rolled
Linux firewall distributions which are well-suited for use on Soekris.

--
Jack at Monkeynoodle dot Org: It's a Scientific Venture...
Riding the Emergency Third Rail Power Trip since 1996!

=?ISO-8859-1?Q?Mr_N=F5u?=
2005-03-10, 01:39
Jack Coates wrote:
> Phil Karn wrote:
>
>
> http://leaf.sourceforge.net provides a number of very nice pre-rolled
> Linux firewall distributions which are well-suited for use on Soekris.
>

I particularly want to mention the m0n0wall-project,
[http://m0n0.ch/wall/], specifically designed to run on embedded
firmware. I, and many like me, run it on discarded Pentium machines with
no hard drive, and next to no memory. (Boot from CD-rom, config file on
dikette) with great satisfatcion and speed. i always keep a few of those
garbage bin collectibles for need of potential spare parts. And now one
is biding its time as a free (cost-wise) important building block in the
home network topology.

/peter

Kevin O. Lepard
2005-03-10, 04:42
The new Squeezebox2 looks great (though I still want one with a VFD
that's about twice as tall).

I'm a little concerned/disappointed that this may mean that the
"promised" features of client-side FLAC decoding and WPA are never
going to be implemented for Squeezebox1.

Is this the case now? Say it ain't so.

Kevin
--
Kevin O. Lepard
kolepard (AT) charter (DOT) net

Happiness is being 100% Microsoft free.

kdf
2005-03-10, 05:06
Quoting "Kevin O. Lepard" <kolepard (AT) charter (DOT) net>:

> The new Squeezebox2 looks great (though I still want one with a VFD
> that's about twice as tall).
>
> I'm a little concerned/disappointed that this may mean that the
> "promised" features of client-side FLAC decoding and WPA are never
> going to be implemented for Squeezebox1.
>
> Is this the case now? Say it ain't so.

it was never promised. the official phrase used was more like 'under
investigation'. several users later turned this into a promise. I know
becuase I pointed this out a few times early on...then gave up :)

I dont recall specifics on the WPA, but it would not have been a leap to expect
that to require new hardware as the original nic was limited in capability.

-kdf

Kevin O. Lepard
2005-03-10, 06:29
> > I'm a little concerned/disappointed that this may mean that the
>> "promised" features of client-side FLAC decoding and WPA are never
>> going to be implemented for Squeezebox1.
>>
>> Is this the case now? Say it ain't so.
>
>it was never promised.

That's why I used the word in quotations. I'm not accusing anyone of
not delivering on an actual promise. I just had the impression that
those things were going to be available on my Squeezebox 1, and I was
looking forward to them. Pity.

Kevin
--
Kevin O. Lepard
kolepard (AT) charter (DOT) net

Happiness is being 100% Microsoft free.

Larry Truesdale
2005-03-10, 08:30
Sean confirmed in another thread that native FLAC for SB1 isn't likely
to ever happen.

Larry


On Thu, 10 Mar 2005 05:29:18 -0800, Kevin O. Lepard
<kolepard (AT) charter (DOT) net> wrote:
> > > I'm a little concerned/disappointed that this may mean that the
> >> "promised" features of client-side FLAC decoding and WPA are never
> >> going to be implemented for Squeezebox1.
> >>
> >> Is this the case now? Say it ain't so.
> >
> >it was never promised.
>
> That's why I used the word in quotations. I'm not accusing anyone of
> not delivering on an actual promise. I just had the impression that
> those things were going to be available on my Squeezebox 1, and I was
> looking forward to them. Pity.
>
> Kevin
> --
> Kevin O. Lepard
> kolepard (AT) charter (DOT) net
>
> Happiness is being 100% Microsoft free.
>