Tripredacus Posted October 24, 2011 Posted October 24, 2011 I am working on getting my media PC up and running and getting it prepared to be put into service. I plan on having this in my network's DMZ so I figure I'll need a good firewall. I'm interested in something that blocks EVERYTHING except what ports I want open. It has Win XP Pro SP3 and 1GB RAM if that helps.
nitroshift Posted October 27, 2011 Posted October 27, 2011 Trippie, I have a HTPC in my home network too. Because sometimes I go to friends's houses and we'd like to see a movie from my HTPC, I've set it up behind a Cisco router and forwarded only the relevant ports in Cisco's firewall (although nowadays any router has some sort of firewall built-in, making it appropriate for the job). Another security measure was playing with NTFS permissions and make all the movies read-only. There's no need to set up the HTPC in DMZ, because there are too many ports to close (about all of them, except the ones that VLC connects to). Hope this helps you a bit.nitroshift
CoffeeFiend Posted October 27, 2011 Posted October 27, 2011 There's no need to set up the HTPC in DMZI don't see why he'd want to do that in the first place. It makes no sense to me. My HTPC happily sits behind my router, and if I wanted to "expose" something (and not via VPN) then I'd just forward the necessary port(s).
nitroshift Posted October 27, 2011 Posted October 27, 2011 There's no need to set up the HTPC in DMZI don't see why he'd want to do that in the first place. It makes no sense to me. My HTPC happily sits behind my router, and if I wanted to "expose" something (and not via VPN) then I'd just forward the necessary port(s).Exactly my point.
Tripredacus Posted October 27, 2011 Author Posted October 27, 2011 It was my understanding that if I set up the PC in the DMZ, both the wired and wireless clients could see it.
nitroshift Posted October 27, 2011 Posted October 27, 2011 It was my understanding that if I set up the PC in the DMZ, both the wired and wireless clients could see it. Connection type doesn't make any difference at all.
CoffeeFiend Posted October 27, 2011 Posted October 27, 2011 It was my understanding that if I set up the PC in the DMZ, both the wired and wireless clients could see it. No, that would work fine in any regular port, unless you went out of your way to enable some option like AP isolation to "isolate" your wifi clients from everything else (shouldn't be an issue so long as your wifi is reasonably well secured i.e. using WPA or similar)DMZ means that ~100% of web traffic (hackers, script kiddies, network-spreading viruses and all) would go right to your HTPC and that's about it. It would be directly exposed to the internet, without any protection from the router. So your question sounded like "how can I plug my HTPC (for no particular reason) in a very unsecure manner, and then add a firewall?" which seemed a bit odd for sure.Edit: darn. Beat to it by a minute or so
Tripredacus Posted October 27, 2011 Author Posted October 27, 2011 OK that makes sense. But as it stands, there may already be isolation setting enabled in the router, because wireless and wired clients can't access each other, but each type can go online.
CoffeeFiend Posted October 27, 2011 Posted October 27, 2011 there may already be isolation setting enabled in the router, because wireless and wired clients can't access each other, but each type can go onlineWhat router (or 3rd party firmware)? Because by default they should see each other.
Tripredacus Posted October 27, 2011 Author Posted October 27, 2011 Not using third party fw yet, although I do intend to at some point... due to some strange cross-manufacturer configuration issue which blocks connection to the Quake 3 master server. I first encountered this problem with my old D-Link, where if you try to connect to Q3, it resets the router. DD-WRT fixed it on that one, but my current router does the same thing.Currently I have Linksys WRT400N using whatever fw it came with.SPI firewall is enabled and the only Filter option set is IDENT port 113. It should be mostly at default settings, except that I have both bands (N and G) set up with WPA2-AES. I can see that both WLAN and LAN clients all get IPs in the same subnet, so they should be able to communicate. AP Isolation is set for Disabled on both bands.
CoffeeFiend Posted October 28, 2011 Posted October 28, 2011 I hope the firmware isn't as ghetto as the WRT160N v3 I've got here (it's got to be one of the worst I've ever seen).Anyway. AP isolation is disabled by default on it, but I'd have a look at it under wireless > advanced. This is most likely the reason.
nitroshift Posted October 28, 2011 Posted October 28, 2011 WRT400N is supported by dd-wrt. I'd flash it before trying anything else.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now