Machine firewalls on or off?

[Percival]

Hello everyone

I'm on the brink of setting up a home network as soon as my telephone
company have confirmed that I can have ADSL. I'm going to get a wireless
router to allow me to connect machines via cable or wirelessly. I realise
that the router has a firewall and assume that this is configured using
software installed onto one of the machines that's connected to it.

First question: is this correct?

Secondly, if I allow access to a particular site, so set this in the router,
could I prevent one or more of the machines connected to the router
accessing the site by having the firewall on the PC/laptop turned on and
blocking that particular site?

Thirdly, if I want to be able to access each of the machines at home from
each other, I realise that the IP addresses will start 192.168.xxx.xxx (as
the posts on this NG always indicate that this is so) so I assume that the
firewalls on each of the machines will have to have each others IP addresses
as "accepted", otherwise the machine firewall will reject the request for
information?

Finally, if I'm away from home and want to test the system to see if I can
ping machine #1 at home, how can I be sure that THIS machine is the one
that's responding? There are likely to be MANY, MANY machines connected at
any one time on home networks, each with the same IP address (as implied
above - there are only a finite number of IPs starting with 192.168). The
extension to this is that I may wish to access information on any of the
four home machines from another machine - say at my office - how would I go
about that?

I know that it's usual practice to ask only one question at a time in these
NG but these are so closely related that I hope that no-one minds and
someone is able to answer my (seemingly) complicated questions. Complicated
to me, but not to you experts!

Thanks for your time and patience.

Percival

 

[Richard G. Harper]

Responses inline:

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Hello everyone

I'm on the brink of setting up a home network as soon as my telephone
company have confirmed that I can have ADSL. I'm going to get a wireless
router to allow me to connect machines via cable or wirelessly. I realise
that the router has a firewall and assume that this is configured using
software installed onto one of the machines that's connected to it.

First question: is this correct?

Yes, pretty much. Many routers use a Web interface so you can use Internet
Explorer on any computer to configure them, but if not the router will come
with its own program to configure it.

Secondly, if I allow access to a particular site, so set this in the router,
could I prevent one or more of the machines connected to the router
accessing the site by having the firewall on the PC/laptop turned on and
blocking that particular site?

Normally, a firewall does not block access to Web sites. Many software
firewalls also have a site blocker offered as part of the full package you
install.

Thirdly, if I want to be able to access each of the machines at home from
each other, I realise that the IP addresses will start 192.168.xxx.xxx (as
the posts on this NG always indicate that this is so) so I assume that the
firewalls on each of the machines will have to have each others IP addresses
as "accepted", otherwise the machine firewall will reject the request for
information?

This won't happen and there's no way you can make it happen. You can
configure most routers to allow access to one PC from outside the network
but that's a very risky proposition since the PC thus exposed is also
exposed and visible to any passing hacker, cracker or bad guy. But even so
you can only make one PC visible to the outside world, not several or many.
Just one.

Finally, if I'm away from home and want to test the system to see if I can
ping machine #1 at home, how can I be sure that THIS machine is the one
that's responding? There are likely to be MANY, MANY machines connected at
any one time on home networks, each with the same IP address (as implied
above - there are only a finite number of IPs starting with 192.168). The
extension to this is that I may wish to access information on any of the
four home machines from another machine - say at my office - how would I go
about that?

Ain't a-gonna happen for the same reason as above.

I know that it's usual practice to ask only one question at a time in these
NG but these are so closely related that I hope that no-one minds and
someone is able to answer my (seemingly) complicated questions. Complicated
to me, but not to you experts!

Glad to be able to help out.

 

[Percival]

Thank you Richard for your prompt and comprehensive responses. I just hope
that my telephone line will support ADSL as I'm yearning to get into this
new field. I really enjoy a challenge - but I might be back asking
questions if I end up hitting my head against a brick wall!

 

[Richard G. Harper]

Feel free - that's what we're here for,

 

[Bob Willard]

Percival wrote:

Thirdly, if I want to be able to access each of the machines at home from
each other, I realise that the IP addresses will start 192.168.xxx.xxx (as
the posts on this NG always indicate that this is so) so I assume that the
firewalls on each of the machines will have to have each others IP addresses
as "accepted", otherwise the machine firewall will reject the request for
information?

If each of the PCs on your home LAN has a firewall app of its own (apart
from the firewall capabilities of your router), the you need to add the IPA
of each other PC to the Trusted Zone of each PC's firewall. The easiest
way is to simply add a range of IPAs to your firewall, such as
192.168.0.0-192.168.0.255, to the Trusted Zone. (After adding IPAs,
don't forget to click on the Apply button if your firewall has one, or
it will think you took it back.)

By the way, I don't think I disagree with "Richard G. Harper" on this;
I think that he and I interpreted your question differently.

 

[Percival]

Thank you for the response. I thought that I'd have to allow each other
access explicitly by "allowing" specific IP addresses or ranges.

BTW, I think that I may have missed something, but why are the addresses
192.168..... used? Is t just that the "authorities" (whomsoever they may
be!) have decided to allow these to be used on home networks? I suspect
that this is the case, otherwise I could choose an address or range at
random which conflicted with somone else and, who knows, I might stumble
across the IP address of Britain's Prime Minister or the King of Spain which
might bring the Police to my door!

 

[Bob Willard]

Thank you for the response. I thought that I'd have to allow each other
access explicitly by "allowing" specific IP addresses or ranges.

BTW, I think that I may have missed something, but why are the addresses
192.168..... used? Is t just that the "authorities" (whomsoever they may
be!) have decided to allow these to be used on home networks? I suspect
that this is the case, otherwise I could choose an address or range at
random which conflicted with somone else and, who knows, I might stumble
across the IP address of Britain's Prime Minister or the King of Spain which
might bring the Police to my door!

The choice of 192.168.*.* may have been random, but it has acquired a
very useful attribute: that range of IPAs (and a few others) are
non-routable, which guarantees that PCs (and RCs) on LANs behind
routers are invisible from the WAN side (the web side) of the router.

 

[Percival]

The choice of 192.168.*.* may have been random, but it has acquired a

very useful attribute: that range of IPAs (and a few others) are
non-routable, which guarantees that PCs (and RCs) on LANs behind
routers are invisible from the WAN side (the web side) of the router.

Oh, I see. That's good news. Better get on and configure the home network
ASAP then!