Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Do I Need a Firewall for My Home Network?

Question: I keep hearing about “firewalls” for my computer and that there are different types. Do I need one? If I do, what kind of firewall do I need?

Yes. You need a firewall. It’s simply too risky to let your computer sit “naked” on the internet unless you really know what you’re doing.

The good news is, you probably already have one and don’t need to do a thing. Heck, you probably have two.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

A firewall protects you from uninvited outside connections reaching your computer over the internet. This protects you from network-based malware. There are both hardware and software firewalls. Your router acts as a firewall, and the Windows 10 firewall is on by default. Together, they’re probably all you need.

What’s a firewall?

Shielded RouterFirewalls defend against a class of network-based threat constantly (yes, constantly) attempting to attack your computer. Those threats are stopped cold by a firewall.

In your car, a firewall is the “wall” of metal between you and the engine. Its purpose is to prevent engine fires from reaching you.

A firewall for your computer is much the same, except the engine — the network you’re connected to — is always on fire. The point of a firewall is to keep you from getting burned.

Network-based threats

A firewall protects your computer from network-based threats.

Almost all computers connected directly to the internet are under constant attack. Malware on other machines, hackers, botnets, and more are waging a slow but persistent war, probing to find unpatched vulnerabilities. If they find one, they infect the machine they’ve found, or worse.

The basic concept of a firewall is simple: it filters out certain types of network traffic from ever reaching your computer.

Want and don’t want

Traffic you want to reach your computer:

  • Websites pages you visit
  • Software you download
  • Music you listen to or video you watch
  • And more…

Other traffic you definitely don’t want:

  • Your neighbor’s machine, infected with a botnet, trying to connect to your machine to spread the infection.
  • Overseas hackers trying to gain entry to your machine to steal your personal information.
  • And more …

A firewall knows the difference.

Solicited & unsolicited

If you look at the sets of examples above, they differ in one important aspect:

  • Things you want are connections you or your computer initiate. At your request, your computer reaches out and asks for the webpages you visit, the software you download, or the music you listen to.
  • Things you don’t want are connections from outside trying to come in without being invited.

That’s an easy distinction for a firewall to make.

Two types of firewalls

Hardware firewalls

A router sitting between your computer and the internet is perhaps the best and most cost-effective firewall you can have. It’s a piece of equipment1 connected to both your computer and your internet service.

The router’s job is to “route” data between your computer(s) and the internet. It also allows you to share an internet connection among many devices.

Routers watch for connections initiated by your computer reaching out to resources on the internet. When a connection is made, it keeps track, so when a response comes back, it knows which of your local machines gets the data.

The beneficial side effect is, if an outside computer tries to start a connection, the router doesn’t know which computer to send it to. All it can do is ignore the attempt. That effectively blocks everything on the internet from trying to start a connection to a machine on your local network.

That makes your router a powerful incoming firewall.

Software firewalls

Software firewalls are programs your computer runs. They operate as close to the network interface as possible, and monitor all your network traffic.

If you’re not using a router and are connected directly to the internet, all of the network traffic will still technically reach your machine, but the firewall prevents malicious traffic from getting any further. Much like a router, a software firewall prevents the rest of your system from even realizing there is any malicious traffic.

In addition, some software firewalls can be configured to monitor outgoing traffic. If your machine becomes infected and malware attempts to “phone home” by connecting to a malicious site, or tries to infect other machines on your network, a software firewall can warn you and block the attempt.

Windows 102 has a built-in software firewall. It is turned on by default.

The Windows firewall is primarily an incoming-only firewall.

Choosing and setting up a firewall

I recommend using a router as your firewall. Since it’s very likely you already have one, you’re done.

There is disagreement. Some believe an outgoing firewall is important. My position is, an outgoing firewall doesn’t really protect; it notifies after something bad has already happened.

Routers are common, and a requirement for anyone who has more than one device sharing an internet connection — which is all of us.

Software firewalls do make sense in a very important situation: they’re one solution when you can’t trust other computers on your local network. Don’t trust the kids’ ability to keep their computer safe on the internet? Enable the software firewall on your computer. Heading out to the local open WiFi hotspot? Turn on the software firewall before you connect.

If you’re running a reasonably current version of Windows, the firewall is probably on, and it’s fine to leave it on all the time, even if you’re behind a router. It has little impact and saves you from remembering to turn it on when you travel or have not-so-trustworthy guest on your network.

That’s why I said earlier you might have two firewalls already: your router and your Windows firewall. And that’s quite OK.

What firewalls can’t do

It’s important to remember that a firewall can’t protect you from everything.

A firewall protects you from threats arriving via malicious connection attempts from elsewhere on the internet. A firewall will not protect you from things you invite onto your machine yourself, such as email, attachments, downloads, and removable hard drives or flash drives.

Nonetheless, protection from network attacks remains critically important.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: It may be combined with a modem, which converts your internet connection’s technology into an ethernet connection, and/or with a wireless access point, giving you Wi-Fi connectivity. Or these may be three separate devices.

2: And Windows 7, and 8, and 8.1. I believe in Vista and prior you needed to enable the firewall yourself.

50 comments on “Do I Need a Firewall for My Home Network?”

  1. Thanks Leo for your excellent site. I gain more here than many else.

    I am now using Linksys wireless-B Broadband router (same as yours) for my home network. My question is: Do I still need firewall in my computer in addition to the in-built firewall function of the router. The latter in my understanding is via NAT.

    Thanks a lot in advance.

    Reply
  2. I’ve found that while my firewall is up, I cannot post to some forums, nor register with some sites (like my local newspaper classifieds.) Can I turn it off for these functions and still be relatively safe?

    Reply
  3. I’d find out what your firewall is blocking that’s preventing those things from working, and then adjusting it to allow what you need. How for both will vary depending on what firewall you’re using. Internet viruses can happen fairly quickly (people downloading patches have gotten reinfected faster than they can download), so I’m hesitant to recommend turning off the firewall completely.

    Reply
  4. My computer has a firewall from Windows Service Pack 2 and virus protection. My question is I just purchased an internet system with 5 protection programs, which includes a firewall and antivirus protection, Do I need this in addition to what I already have? or is it unnecessary.

    Reply
  5. My computer has a firewall from Windows Service Pack 2 and virus protection. My question is I just purchased an internet system with 5 protection programs, which includes a firewall and antivirus protection, Do I need this in addition to what I already have? or is it unnecessary.

    Reply
  6. My computer has a Norton Personal Firewall installed. and the rediff bol application is not getting started because one of the ports is blocked because of the firewall. What do i do to make the application work without turning off the firewall.

    Reply
  7. Dear Leo;
    I am a soon to be foster parent of teen aged girls and I want to protect them from as many potential Internet related problems as possible, including chat rooms with unseemly types. What suggestions do you have for parents/foster parents with kids who want to use the Internet?
    Ann

    Reply
  8. i just bought a new computer and when i went to the screen for my firewall, it was turned off. i turned it on and a friend told me i should turn it back off? what exactly is the firewall? i am not very smart when it comes to computers.

    Reply
  9. Hi Leo,

    I have Windows 200 professional and Mcafee viruscan 7.1 on my laptop.I have been having my dial-up connection from AOL for about 2 weeks.I did one mistake.I did not update my latest dat file from NAI.com for the viruscan.During that period some virus has entered my system and diabled my task manager.Later I updated teh latest dat file.But still I started getting messages from virscan that a virus file SVCHOST.exe could not be deleted fro c:winntsvchost.exe.Then I found this file in that location was just 1 week old.I also found one more file in location c:winntsystem32svchost.exe old dated and also smaller in size.Then c:winntsystem32svchost.exe to c:winntsvchost.exe.The viruscan report stopped coming but now this exe keeps executing itself from c:winntsvchost.exe on a empty command window and finally I have got a message on my desktop showing high risk of spyware and some problem on RAM.Please let me know what should I do.I have my Windows ME factory edition for my laptop.Should I go ahead and install the OS.If I take a backup of data on split drive D do I have a chance of getting viruses from the backup.

    Thanks,

    Chamu

    Reply
  10. I wanted to get back at my sister for sending me a lot of forwarded chain letters and other dumb stuff so I sent her a barrage of funny emails frm a certain site. It didn’t end up the way I had planned as she had just put in a firewall(called firefox) on her comp,she said she couldn’t access them,but one frm another site she could see. Why is that? Thanks for ur help!

    Reply
  11. We have AOL’s security system on our computer. My wife chose the computer check on AOL, and chose some option that keeps turning off our internet connection after a minute or so.

    We have a router that our computer connects to. It has an IP address that the fire wall seems to reject, but allows initially.

    If we go to Google, it allows us connection for a long time. But as soon as we try to go on Yahoo.com or msn.com or aol, then our internet connection gets interrupted. We have to disable and enable our connection again and again to connect for short periods of time.

    Please Help.

    Reply
  12. hey… i need a little help.. i cant seem to check my emails… i can get onto the hotmail.com website, and i can type in my email address and password.. but when i hit enter, it says page cannot be displayed. i personaly think that it is because of some kind of firewall. but i have no idea how to disable it. can you help me?

    thanks

    Reply
  13. FIREWALL NOT NEEDED? Everyone says use a router/firewall when using DSL, cable, etc. I helped a friend with a new AT&T DSL account and insisted that he buy a router. So he purchased a Netgear router. During the setup, I was surprised to see that the modem was giving out a private 192.168.1.x address. Are they putting NAT firewalls in the modems now? None of the documentation mentioned that there was already a firewall. I installed the Netgear router anyway because I was not sure. Maybe he didn’t need to buy the router? I still can’t find any info about firewalls being included in DSL modems.
    -Ron

    Reply
  14. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    I have seen this, though as you’ve seen it;s hard to find
    documentation on it. The DSL modem at my wife’s business was
    handing out 192. addresses just as you describe. This does
    imply that it’s doing NAT, and does imply that it is acting,
    in some regard, as a firewall/router. And yes, that would be
    sufficient.

    And to clarify your lead-in statement, yes a firewall is
    still neccessary – it just might already be in your modem.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFHqfCTCMEe9B/8oqERAjlYAJ4+hsNrgAaELZ79CdeZc5Bol6NxVACgjpsi
    CMtarYfrjPu/oQ0SnBr0JLY=
    =9Rad
    —–END PGP SIGNATURE—–

    Reply
  15. Leo,
    Lately, according to Zone Alarm I have NUMEROUS programs all trying to contact 192.198.0.198 and .1 and 224.0.0.22 which appear to come from Africa! At your suggestion on the air I bought a D-Link DIR-655 router and NOD32 AV. I deleted ZA as I thought you said all I needed was the router. I’m really worried “something” is on my computer despite complete scans by NOD32 and several other on line scan programs. Should I go back and install Zone Alarm again?
    Am I in danger and should I worry?
    Thanks, Leo,
    David

    Reply
  16. I fix computers from time to time and I think some may have been hacked into. When I fix them I don’t use my router with a firewall I just connect via my modem and after there repaired I hook my router back up.
    So if the hacker can see my ip addy am I still safe since I put my router with firewall back up or should I use my router all the time even when I do repairs

    Reply
  17. Ok, I now know hard/soft firewall, router, hub, switch. Question…. our previous computer technician set up a brand new dedicated server and connected the server > modem > broadband. (we have a dental office with much private info…. 17 computer stations) Currently all the protection we have that I know of is Norton Anitvirus and whatever our broadband has. A new computer tech says, “NOT EVEN ADEQUATE” and recommends a hardware device for max protection (about $500). What is right?

    Reply
  18. Agree with most of what you say in this article, but have a comment about the Comodo firewall. The Comodo firewall enjoys #1 ratings from many sources. I used it for several months, but ultimately uninstalled it. Why? It is annoyingly intrusive. It constantly pops up dialog boxes requiring you to allow or disallow one thing or other, even after going thru a long learning period. Its identification of what’s trying to get in is almost always cryptic — usually a file name that means nothing to me (and I help people fix software problems, so are pretty computer literate), and even less to most home computer users. I think it would be helpful to append the article to mention that Comodo is most useful for technically savvy users. Others will do just as well to use the free Windows firewall, even though it’s unidirectional.

    Reply
  19. I have AOL and it does have its own firewall which I appreciate. Sometimes it does not allow me to go on a particular site, so I just use Firefox to get on. Not really a problem. I hope. Any concerns I should have?

    Reply
  20. I don’t see anything wrong with the one included with Windows 7. It’s adequate for my purposes. On XP Pro, the firewall was fine as well. As long as you play safe computing (no porn sites, not accepting every free download that comes your way to place spyware onto your computer), you should be safe. If the Windows default firewall was no good, they’d be advising to get one.

    Reply
  21. Hi Leo
    Believe it or not , My pc got a perfect score in all areas at Gibson Research
    Happy new year for 2010
    :-)

    Color me impressed. Smile

    Leo
    30-Dec-2009

    Reply
  22. Hi All,
    A perfect score by Shields Up was achieved by Zone Alarm. You have complete control in and out. Free for private use. A little annoying but you are notified if programs change as well. Simple but effective. A firewall should never be turned off and a hardware and software firewall in tandem is the most secure. There is no conflict between the two. I have used a Router/software firewall combination with AVG on XP for years with no infections even on the most dangerous websites. Keep up the good work Leo.

    Reply
  23. If you don’t have file sharing turned on, and you know the things to avoid on internet such as popups, then I fail to see the justification for a firewall. This seems to me to be one of those forms of brainwashing that’s occured in the computer world where due to typical user stupidity, people are absolutely convinced that this is therefore their “internet condom”. Can you provide any more plausible/logical reason on *why* this is even helpful if you know your way around a pc backwards-and-forwards?

    There have been vulnerabilities – both as bugs and as configuration choices – in network-facing protocols other than file sharing that have allowed malware to infect a system not protected by a firewall – even for systems owned by people who claim to know their way around a computer backwards and forwards.

    Leo
    15-Jan-2010

    Reply
  24. First, there is never a good reason to NOT have a firewall! Just have a look at a typical log file to see the type and frequency of attacks that are being blocked, typically against ports for services you may not even know are running on your PC (this is where “shields UP” can help).

    Your consumer-grade router is probably adequate for home use, and as noted by others usually also provides a DHCP server. See if it has “stealth mode”, and if it does, be sure it’s turned on.

    If you have business assets to protect, however, a dedicated firewall appliance gives you more control, better logging and alerts, etc. I use a SonicWall TZ-100 on my server’s DSL, and a LinkSys router on my BrightHouse home network.

    Running a software firewall behind a hardware firewall probably won’t help you, and will probably degrade performance. Plus, if you’ve had to do any significant configuration for outbound services you’ll have to remember to make any changes to both firewalls.

    If you live behind a firewall don’t get complacent: be sure to turn the software firewall back on whenever you use a “Public” network (hotel, airport, etc.).

    Reply
  25. The best free firewall programs that I’ve used are Comodo and Zone Alarm. Each has it’s pros and cons along with the learning curve for you and the software. I prefer Zone Alarm because I feel it’s a tad more user-friendly. To sum it up, if you’re a responsible surfer and you keep your system up to date then using either of these will just be some additional security.

    BTW, I’ve always recevied a perfect score from Gibson when I scanned my system.Either the test is missing something or my security is decent.

    Reply
  26. I scored perfect as well. I do not see the need for a software firewall and was quite pleased to find this article which makes the points that I have been telling people for a very long time. A router, for most people, will suffice. Thank you, Leo, for backing up those of us who tell others, “If you want your computer protected, put it behind a router.”

    Reply
  27. Is a BT Home Hub (which I have) the same as and/or as good as a router?

    I’m not famliar with the BT Home Hub, so you’ll need to check with the provider to see if it’s really a router. If it’s truly a “hub”, then no, it does not do what you need.

    Leo
    14-Dec-2011
    Reply
  28. Thanks Leo. I’ve just checked, and Wikipedia describe the BT Home Hub as a ” wireless residential gateway router”. I’ve also re-read your article about hubs, switches and routers, so I think it’s a bit odd that BT should describe it as a “hub”, when they could describe it, it seems, as a more powerful/secure “router”.

    Reply
  29. “The very short, very easy answer is: hell yes! Absolutely, positively you need a firewall.”

    Not applicable for for Linux based operating systems.

    Reply
    • While I don’t know a lot about Linux, I suspect that you still need a firewall on a Linux machine. Hackers don’t really care what operating system you are using. They just want to attack your machine. I’m pretty sure somebody has tools out there that will hack into a Linux based computer.

      Reply
      • Hackers do care; They choose predominantly the most popular operating systems. As for viruses, the existing viruses which can modify Windows do not affect Linux in any way either. So, for Linux Distros/Operating Systems there is no need for a software firewall and anti-virus applications.
        Hint: Google can be your friend.

        Reply
    • We disagree. One of the first things I set up on my Linux boxes is a firewall. In fact, to be honest, the typically included Linux firewall is one of the best.

      Reply
  30. Is just a software firewall okay? I have Norton Security Suite’s firewall. I’m not sure I want to buy a router just for the firewall…

    Reply
  31. Leo,
    Will my best bet to be safe from any prying eyes be to create VM or virtual pc box for each individual activity for example : Vitural box for browsing, virtual box for business connections and emailing, virtual box for emailing and browsing for personal use besides business then back up all these on CDs and Macrium.

    I am currently on Windows 7 and would like to create windows 7 VM or vitrual pc box machines within windows 7.
    I am currently on a century link router and would like to know how I can get another personal firewall from anything that may get through Century link router.

    Im looking to set up VPN within the virtual PC box machines and have
    encrypted email service along with harddrive
    for maximum protection. Any guidance would be massively appreciated.

    Reply
  32. Leo.. I’m looking for some Real Hardware Firewall info.. I don’t mean the kind of Router/Modem given to you by your ISP that contains a firewall built in. I’m talking about the type of hardware firewalls they had in the 70’s and early 80’s that were standalone, not built into a router/modem. This hardware based firewall (that may also be software controlled by the user) would go between your PC and your ISP’s router/modem. The hardware firewall should be able to stop all incoming and outgoing attempts you don’t agree to, such as Microsoft phoning home telemetry data. It would also catch things the ISP’s router/modem firewall will not catch due to the device not being configured by a crafty ISP ( who like Microsoft and Google seem everyone is helping the NSA steal your data which we know Is happening) I can’t trust Microsoft anymore and need better solutions I can control. Can you tell us about those types of firewalls? Thanks!

    Reply
  33. I am an old lady that is computer ignorant–recently purchased a 5 year service contract (after I was messed up and asked for help) and they have been good and insist on frequent check up and they help me with troubles when they occur. Now they have insisted I need a fire wall–at a price of course–is this really necessary. thanks

    Reply
  34. In a car firewall, there are openings for the steering wheel, the brakes, the gas pedal, the clutch, the gear shift and an assortment of cables. Those are analogous to the openings in you computer firewall for the browser, email program, ftp connections, and messaging programs etc.

    Reply
  35. In the past, my computers have been hacked and ruined. I want to get a new one but I am scared of hackers. You said that a firewall will protect it on my network so I’ll have a professional come install that just to be safe.
    {link removed}

    Reply
  36. No, these days you don’t need firewall. Nobody connects directly to internet, in fact you probably wouldn’t be able to even if you wanted. Everybody is using a router, which makes it impossible for any outgoing traffic to reach your computer – unless you intentionally “publish” it. As for the outgoing traffic, you would have to have an expert knowledge of every application and every service in your operating system, and every port they are using. This is not practically possible, and everybody was clicking “allow” to the firewall’s prompt already since Windows XP.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.