No Firewall in Airport Express? Does it matter?

[superleccy]

Hi

At home, I connect my iBook to the Internet via a WDS I have set up using two Airport Expresses. My first Airport Express is acting as a WDS Main Base Station, and is connected via Ethernet cable to a Hermstedt XBridgeDSL ADSL modem/router. The other Airport Express is acting as a remote base station.

Now, some friends of mine use one of those snazzy all-in-one Belkin boxes that combine a ADSL Modem, Router and 802.11x hotspot in a single unit. This unit also includes some sort of firewall.

In my system, the only firewall I run is the one built into OS X, and I run it in "stealth mode". As far as I know, there isn't a firewall in my Airport Expresses nor in my Hermstedt thing. Is this a problem? If there is a firewall in my iBook, why would I need one further "upstream" in my WDS?

FWIW, I run my WDS as a closed network with WPA2 Personal security and selective MAC filtering. I think I'm as safe as I can be. Am I?

Regards
Superleccy

 

[mkrishnan]

The Airport Express *does* have a firewall, although it does not clearly use this language. By default, all incoming traffic is blocked. The firewall settings are manipulated through the port mapping tab of the airport admin utility.

Also, FWIW...running on WPA and running a firewall serve two essentially distinct, non-overlapping purposes. WPA prevents someone from intercepting traffic within your network, originating from your computer, inside the network, and going out, to somewhere else in your network or the internet. The firewall prevents a computer from accessing your computer via a signal that originates outside your network and comes in.

There are a number of advantages of the hardware firewall, I guess, but the principal one in a setup like yours is that, if you open ports to do things like stream music within your network, in the software firewall of OS X, these ports remain closed to traffic originating outside your network, in the hardware firewall.

 

[superleccy]

The Airport Express *does* have a firewall, although it does not clearly use this language. By default, all incoming traffic is blocked. The firewall settings are manipulated through the port mapping tab of the airport admin utility.

Oh yeah!

Thanks for pointing it out, and for your other clarifications.

Regards
Superleccy

 

[mkrishnan]

No problem. This confused me a lot when I first got mine, too. Like MSN and AIM tell you that you should open a bunch of network ports, and then I did, and after a while, I realized that they must not be terribly valuable, because I never opened my HW firewall, so I just closed them back up.

 

[portent]

The "firewall" in most routers, including the AirPort base stations, is NAT. NAT's primary function is to allow you to have a separate IP addressing scheme on one side of the router (the side your computer is on) from the global IP addressing scheme used on the Internet. Since there are only so many IP addresses in the world, this is very helpful. You can have a dozen computers on your network with only one real IP address.

A side effect of NAT is that the separate addresses on your side of the router are not "visible" to anyone on the outside (Internet side) of the router. This provides one-way protection against incoming connections.

Purists will say that this is not really a firewall. Most router manufacturers say something like "NAT firewall." So does Apple, on the AirPort specs page.