[Tripredacus]

I am working on getting my media PC up and running and getting it prepared to be put into service. I plan on having this in my network's DMZ so I figure I'll need a good firewall. I'm interested in something that blocks EVERYTHING except what ports I want open. It has Win XP Pro SP3 and 1GB RAM if that helps.

[nitroshift]

Trippie, I have a HTPC in my home network too. Because sometimes I go to friends's houses and we'd like to see a movie from my HTPC, I've set it up behind a Cisco router and forwarded only the relevant ports in Cisco's firewall (although nowadays any router has some sort of firewall built-in, making it appropriate for the job). Another security measure was playing with NTFS permissions and make all the movies read-only. There's no need to set up the HTPC in DMZ, because there are too many ports to close (about all of them, except the ones that VLC connects to). Hope this helps you a bit.


nitroshift

[CoffeeFiend]

nitroshift, on 26 October 2011 - 08:43 PM, said:

There's no need to set up the HTPC in DMZ

I don't see why he'd want to do that in the first place. It makes no sense to me. My HTPC happily sits behind my router, and if I wanted to "expose" something (and not via VPN) then I'd just forward the necessary port(s).

[nitroshift]

CoffeeFiend, on 26 October 2011 - 08:51 PM, said:

nitroshift, on 26 October 2011 - 08:43 PM, said:

There's no need to set up the HTPC in DMZ

I don't see why he'd want to do that in the first place. It makes no sense to me. My HTPC happily sits behind my router, and if I wanted to "expose" something (and not via VPN) then I'd just forward the necessary port(s).

Exactly my point.

[Tripredacus]

It was my understanding that if I set up the PC in the DMZ, both the wired and wireless clients could see it.

[nitroshift]

Tripredacus, on 27 October 2011 - 10:06 AM, said:

It was my understanding that if I set up the PC in the DMZ, both the wired and wireless clients could see it.

Connection type doesn't make any difference at all.

[CoffeeFiend]

Tripredacus, on 27 October 2011 - 10:06 AM, said:

It was my understanding that if I set up the PC in the DMZ, both the wired and wireless clients could see it.

No, that would work fine in any regular port, unless you went out of your way to enable some option like AP isolation to "isolate" your wifi clients from everything else (shouldn't be an issue so long as your wifi is reasonably well secured i.e. using WPA or similar)

DMZ means that ~100% of web traffic (hackers, script kiddies, network-spreading viruses and all) would go right to your HTPC and that's about it. It would be directly exposed to the internet, without any protection from the router. So your question sounded like "how can I plug my HTPC (for no particular reason) in a very unsecure manner, and then add a firewall?" which seemed a bit odd for sure.

Edit: darn. Beat to it by a minute or so

[Tripredacus]

OK that makes sense. But as it stands, there may already be isolation setting enabled in the router, because wireless and wired clients can't access each other, but each type can go online.

[CoffeeFiend]

Tripredacus, on 27 October 2011 - 02:47 PM, said:

there may already be isolation setting enabled in the router, because wireless and wired clients can't access each other, but each type can go online

What router (or 3rd party firmware)? Because by default they should see each other.

[Tripredacus]

Not using third party fw yet, although I do intend to at some point... due to some strange cross-manufacturer configuration issue which blocks connection to the Quake 3 master server. I first encountered this problem with my old D-Link, where if you try to connect to Q3, it resets the router. DD-WRT fixed it on that one, but my current router does the same thing.

Currently I have Linksys WRT400N using whatever fw it came with.

SPI firewall is enabled and the only Filter option set is IDENT port 113. It should be mostly at default settings, except that I have both bands (N and G) set up with WPA2-AES. I can see that both WLAN and LAN clients all get IPs in the same subnet, so they should be able to communicate. AP Isolation is set for Disabled on both bands.

[CoffeeFiend]

I hope the firmware isn't as ghetto as the WRT160N v3 I've got here (it's got to be one of the worst I've ever seen).

Anyway. AP isolation is disabled by default on it, but I'd have a look at it under wireless > advanced. This is most likely the reason.

[nitroshift]

WRT400N is supported by dd-wrt. I'd flash it before trying anything else.