The independent technical support site for all things networking!

Software firewalls

Why you should always have a good software firewall on your PC

Many newbies believe that once they have a firewall on their router they don’t need a software firewall installed on their PC(s) – this is wrong in most cases.

Here is an illustration:


Description, from the top down (the actual order of the DMZ, router firewall and NAT is not important, since they all work together – the principle remains the same):

Router’s firewall

If you have a firmware that contains a firewall and if it is enabled, you will have a firmware firewall on the router. This firewall only checks incoming data packets – outgoing data can pass through unchecked. The firmware firewall will perform basic checks for common forms of attack.

DMZ (Demilitarized Zone)

Next if you have the DMZ enabled, this will send any data it cannot identify to the ‘exit’ (which is called the ‘Host IP Address’). This exit can be a non-existent IP such as (in which case the data is discarded) or this exit can point to a PC (or another device connected to the router). The idea behind the DMZ is that it is supposed to be a sort of middle ground between the Internet and your LAN.

NAT (Network Address Translation)

The NAT is like a sorting office – it performs basic checks like ‘to address’ and ‘from address’ – anything it doesn’t where to put it will discard. It doesn’t look for malicious or potentially harmful data, it just tries to pigeonhole the data packets. An analogy is that it’s like a sorting office for a big company, they take an external address and deliver it to an internal address (like a room number).

Then to the sides you have your (firewall) policies and port forwards (also called virtual servers). The idea here is that you can bypass the router’s firewall, DMZ and NAT by using them.

Policies are like basic rules saying allow/don’t allow this type of data to go to this address – they aren’t very flexible.

Port forwards only apply to inbound data, allowing the data to go to any one PC (or another device connected to the router) or to a non-existent IP such as (where it is discarded).

As you can see, the only time anything outbound is checked is by the software firewall on your PC. In theory you could setup and outbound policy to block certain ports or protocols, but that’s nothing like as good as a proper, flexible and intelligent software firewall.

We recommend you use a good software firewall, regardless of your router setup.

It is the only way to prevent software from trying contact the Internet from your PC and good way from isolating PCs on a LAN so that if you have an infected PC on your LAN it won’t infect the others.

Last updated by Neo on Saturday, August 29th, 2009
Powered by phpBB & WordPress     Hosted by Kieran O'Shea     Site Code © 2005-2011 Kieran O'Shea     All site contents © 2005-2011 RouterTech - All rights reserved     Valid HTML     Valid CSS     Graphics by Neo