No Firewall in Airport Express? Does it matter?

Discussion in 'Mac Accessories' started by superleccy, Nov 6, 2005.

  1. superleccy macrumors 6502a

    superleccy

    Joined:
    Oct 31, 2004
    Location:
    That there big London
    #1
    Hi

    At home, I connect my iBook to the Internet via a WDS I have set up using two Airport Expresses. My first Airport Express is acting as a WDS Main Base Station, and is connected via Ethernet cable to a Hermstedt XBridgeDSL ADSL modem/router. The other Airport Express is acting as a remote base station.

    Now, some friends of mine use one of those snazzy all-in-one Belkin boxes that combine a ADSL Modem, Router and 802.11x hotspot in a single unit. This unit also includes some sort of firewall.

    In my system, the only firewall I run is the one built into OS X, and I run it in "stealth mode". As far as I know, there isn't a firewall in my Airport Expresses nor in my Hermstedt thing. Is this a problem? If there is a firewall in my iBook, why would I need one further "upstream" in my WDS?

    FWIW, I run my WDS as a closed network with WPA2 Personal security and selective MAC filtering. I think I'm as safe as I can be. Am I?

    Regards
    Superleccy
     
  2. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #2
    The Airport Express *does* have a firewall, although it does not clearly use this language. By default, all incoming traffic is blocked. The firewall settings are manipulated through the port mapping tab of the airport admin utility.

    Also, FWIW...running on WPA and running a firewall serve two essentially distinct, non-overlapping purposes. WPA prevents someone from intercepting traffic within your network, originating from your computer, inside the network, and going out, to somewhere else in your network or the internet. The firewall prevents a computer from accessing your computer via a signal that originates outside your network and comes in.

    There are a number of advantages of the hardware firewall, I guess, but the principal one in a setup like yours is that, if you open ports to do things like stream music within your network, in the software firewall of OS X, these ports remain closed to traffic originating outside your network, in the hardware firewall.
     
  3. superleccy thread starter macrumors 6502a

    superleccy

    Joined:
    Oct 31, 2004
    Location:
    That there big London
    #3
    Oh yeah! :) :cool:

    Thanks for pointing it out, and for your other clarifications.

    Regards
    Superleccy
     
  4. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #4
    No problem. This confused me a lot when I first got mine, too. :) Like MSN and AIM tell you that you should open a bunch of network ports, and then I did, and after a while, I realized that they must not be terribly valuable, because I never opened my HW firewall, so I just closed them back up. :eek:
     
  5. portent macrumors 6502a

    Joined:
    Feb 17, 2004
    #5
    The "firewall" in most routers, including the AirPort base stations, is NAT. NAT's primary function is to allow you to have a separate IP addressing scheme on one side of the router (the side your computer is on) from the global IP addressing scheme used on the Internet. Since there are only so many IP addresses in the world, this is very helpful. You can have a dozen computers on your network with only one real IP address.

    A side effect of NAT is that the separate addresses on your side of the router are not "visible" to anyone on the outside (Internet side) of the router. This provides one-way protection against incoming connections.

    Purists will say that this is not really a firewall. Most router manufacturers say something like "NAT firewall." So does Apple, on the AirPort specs page.
     

Share This Page