My opinion for what it is worth, is get rid of any firewall on your windoze systems. They interfere with the smooth operation (Is that possible) of the os and give you a false sense of security. Then install a hardware firewall (For home use, I prefer Netgear stuff) at your network connection.
I spent 10 years implementing and enforcing my companies security policy and architecture. A firewall is only any good if you manage it. you need to know how to read/analyse the logs. Understand the rule set you have applied and be rigorous in enforcement. I don't have default service out policies. I define all outgoing services and sources just as I do with incoming traffic. My default rule sets are always a deny rule.
A firewall is more than a nat device. it is an intelligent filter that uses stateful inspection to decide what is a valid connection. I am always suspicious of ssh traffic as I have no knowledge of what may be tunneled. P2P I stamp on. There is never a good reason for it.
So know your traffic patterns. For most homes a few simple rules to permit outgoing http/https/smtp/pop3/imap should suffice with default deny policies. The stateful inspection should then permit reply packets to established connections and all in the garden should be rosy. once you start hosting service and have to open incoming rules think carefully about what you are doing.
Anyone with an old PC that wants to learn about implementing firewalls. I suggest you have a look at the smoothwall project. install the superkernel and have control of your network firewall policies.
__________________
Not Grumpy, opinionated.
|