Helping people with computers... one answer at a time.

Most routers both do, and do not, have a firewall. The good news is that the protection offered by a router's firewall is often exactly what you need.

I purchased and installed a broadband router. Specifically, a wireless Linksys WRT54G. I thought this provided a firewall and I had planned to uninstall Norton Systemworks which is giving me problems. However, the router does not appear to include a firewall. It does not need any sort of configuration like Norton, such as sites to let through or to block. I have looked all through the documentation and no mention of a firewall.

Did I buy a model without a firewall or was I mistaken about a router including a firewall?

Your router does, and does not have a firewall.

And I totally understand that this is confusing.

I'll try to clear it up...

One of the things that your router does is allow you to share your internet connection. By that I mean you can take a single internet connection that's designed to connect to only one computer, add a router, and then through the router connect several computers who can then use that single internet connection.

The way this happens is that your internet IP address, which is used to route data to you when you surf the internet, is assigned to the router instead of a computer. The router then assigns local IP addresses to each of the computers you have connected to it. The router then also takes care of making sure that the data sent to and from the internet is routed to and from the correct computer on the local network.

"... computers on the internet are completely blocked from connecting to computers behind a router."

One side effect of this approach, called Network Address Translation, or NAT for short, is simply this: no computer from outside your local network can initiate a connection to a computer on the inside of your local network.

Put another way: computers on the internet are completely blocked from connecting to computers behind a router. (You can create exceptions, of course, using something called "port forwarding" and/or "DMZ" settings in the router configuration.)

In this regard, the router is acting like an inbound firewall. In fact, it's acting so much like one that we simply refer to it as being a firewall.

Now, in the strictest sense, your router is not truly a firewall. Two key components are missing:

  • Your router does not attempt to block any outgoing connections or data. A true firewall will typically examine outbound connections as well as incoming. In fact, a great deal of the configuration you referred to in your question is typically defining to a firewall exactly who on your computer is allowed to make an outbound connection.

  • Your router does not inspect the data that's routing, other than to make sure it's headed to the correct computer. Firewalls are often configurable to the extent that you can allow not just certain types of connections, but also allow, or block, certain types of data over those connections. In the extreme a firewall could actually incorporate anti-virus checking and block anything that was found to be carrying a virus.

So in that regard your router is not a true firewall.

So what do you need?

In my opinion: if you can trust all the computers on your local network, a NAT router provides 99.9999% of what you actually need in a firewall. Blocking external threats is by far the single most important role of a firewall these days; so much so that every one should have some kind of firewall, no matter what.

In my opinion a software firewall is simply not needed in this case. Blocking outgoing traffic sounds important, but in reality, if you have outgoing traffic that needs to be blocked, then either you need to change your system's configuration not to try to do whatever it's doing, or you are already infected with malware. In the later case, it's too late. The firewall did not prevent you from getting infected. At best it might have prevented you from infecting someone else, but even that is suspect.

Now, you'll notice I emphasized the phrase if you can trust all the computers on your local network. That's the one exception to the "software firewalls not needed" guideline. For example let's say you share your computer connection with your children who don't understand internet safety and are constantly getting their computer infected. In a case such as this, where you cannot trust some other machine that shares your local network with you, then you probably do need a firewall to protect you. And let's be clear; that firewall is not to protect you from the internet -- your router does that -- but from that other machine. And once again, what really matters here is blocking unwarranted incoming connections. As far as I'm concerned if the firewall lets you disable monitoring of outgoing connections, you can.

So if you're in that "safe" situation, then yes, in your shoes I would uninstall that software firewall and rely on the protection of my NAT router.

In fact, that's exactly what I do here at home.

Article C3323 - March 17, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

12 Comments
Alex
March 17, 2008 10:14 PM

Nice article Leo. Would a router + antivirus combo be an effective solution? Assuming that the antivirus software is installed prior to any infection, it would stop problems on the local LAN. The router would then stop external external threats therefore providing a comprehensive layer of protection.

Michael
March 18, 2008 10:19 AM

I agree with all your logic, Leo. And since I am in the situation you describe (behind a router and trust all computers on my network), I used to not use a software firewall.

However, one day it dawned on me that if through some fault of my own, I did actually get spyware (for example, a keylogger) installed on my computer, having a software firewall would at the very least alert me and cause me to block any attempt by said keylogger to transmit its collected data.

As a result, I use Zonealarm free. In my mind, it provides just a little extra layer of protection.

However, if I'm missing something here, please tell me, as I would love to be able to uninstall Zonealarm so as to have one less program loading at start up.

Fred
March 22, 2008 4:17 AM

I find Comodo to be better than Zone alarm, seems more user friendly, and doesn't seem to take up much resources.

Hugh E Torrance
March 22, 2008 5:40 AM

I use mostly Linux so very limited anti virus or firewall but I do also have XP and recently I disabled C.O.M.O.D.O. and have observed an increase in speed...I have a NAPT router and so far I have been OK...The system I am on now is Desktop BSD,so I reckon I am reasonably safe with BSD and my router.

Terry Hollett
March 22, 2008 6:11 AM

Personally, I prefer a software firewall (or any) to tell me what programs I trying to access the internet. I download a program of the internet, install it and no more than finished when my firewall warns me its trying to acess its update site, no other warning. I hate programs that try to update without any warning. I hat programs that give you a warning but still try to update. Of course most programs give you the option to disable 'automatic updating', one of the first things I look for. But I've installed programs that will not even give you that option.

I don't have a router I have a switch that I've had forever. A GNET 5 port 10/100 switch. Its not programable like a router. But even if I had a router, I would prefer to have a firewall.

http://www.geocities.com/terryhollett2003/

Andrew Haase
March 22, 2008 10:04 AM

I also use a firewall to block local processes from accessing the internet. Certain programs (acrobat reader comes to mind) always check for updates when run and some insist on installing unwanted software with the update. A firewall is the most simple way to block this. I don't want to be asked to update programs like this unless I am experiencing a problem because the program is too old.
It can also be a good warning that a program is accessing the internet that you do not expect. This has happended several times for me and I was able to use Mike Linn's startup manager to remove unnecessary update processes on my system (and save my system resources for programs I WANT).

Eli Coten
March 22, 2008 6:19 PM

Although its complicated and not easy to find, Windows XP Pro itself does have some form of rudimentary firewall. I saw a computer with a dial-up connection, connected at about 50Kbps which was quite good for dial-up, but nothing useful could be done with the connection because something else was using it to transmit some other data.

There was no software firewall, but since it was all on the same outgoing port, I was able to block the traffic using Windows IP Security Policies. Of course IP Security policies are very basic, a nightmare to use and not very clever/powerful but in this case they did the trick. Next stage is to find out what was causing that traffic and get rid of it!

(As an aside- the Linksys WRT54G mentioned in the original question is a very flexible router that can be reflashed using a few different 3rd party firmwares to do pretty much anything really. You can install a linux shell to it and then program it as you wish within the constraints of its CPU and memory available (which differs from version to version).

Gordon Carswell
October 11, 2011 2:50 PM

After reading the article "Does my router have a firewall or not?" can I safely assume that the firewall function is on?
On setting up my router I did no more than put in user name and password.I did not put in any settings for firewall protection.

Mark J
October 11, 2011 9:59 PM

@Gordon
Normally the router firewall is on and any exceptions have to be manually set.

Simon Aultman
October 20, 2012 9:52 AM

I do not own a computer but I will be sure to purchase a NAT router when I do. I will also be sure to check the setting of the firewall regularly.

John
November 4, 2012 1:21 AM

What about the firewall that comes with Windows 7? Leave it on or off if you have a router?

Mark J
November 4, 2012 2:48 AM

@John
That question is answered in the last 2 paragraphs of the article, but here is something a little more specific.
So do I need the Windows Firewall or not?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.