Helping people with computers... one answer at a time.

A firewall is critical to keeping your internet-connected computer safe. We'll review what a firewall is and the two different types of firewalls.

I keep hearing the term 'firewall' and how I need one when I connect my computer to the internet. What's a firewall, why do I need one, and how do I set one up?

Many types of viruses and other types of malware can be prevented simply by using a good firewall.

In your car, a firewall is the "wall" of metal between you and the engine. Its purpose is to prevent engine fires from reaching you.

A firewall for your computer is much the same - the point is to keep you from getting burned.

Let's look at the two common types of firewall.

Network-based threats

A firewall fundamentally protects your computer from network-based threats.

Almost all computers on the internet are under constant attack. Malware on other machines, hackers, bot-nets, and more are waging a slow but extremely persistent war, checking for any unprotected vulnerabilities on other internet-connected computers. If they find such a vulnerability, they then infect the machine that they've found or worse.

"Almost all computers on the internet are under constant attack."

The basic concept of a firewall is very simple: it blocks or filters certain types of network traffic from ever reaching your computer.

Traffic that you want to reach your computer:

  • Websites pages that you visit

  • Software that you download

  • Music or videos that you might watch

  • And more...

Other traffic that you definitely don't want:

  • Your neighbor's machine infected with a botnet trying to connect to your machine over the network to spread the infection.

  • Overseas hackers trying to gain entry to your machine over the network to steal your personal information.

  • And more ...

A firewall knows the difference.

Hardware firewalls, like your router

A router sitting between your computer and the internet is one of the most effective and cost-effective firewalls that the average computer use can have.

The router's job is to "route" data between the computers on your local area network and the internet.

Routers also allow you to share an internet connection by what's called "Network Address Translation". As it's more commonly referred to, NAT "translates" between your internet-facing IP address and the local IP addresses that have been assigned to your local machines by the router.

Routers then watch for connections initiated by your computer to resources out on the internet. When a connection is made, the router keeps track so that when a response comes back on that connection, it knows which of your local machines to send the data to.

The side effect is that if an outside computer tries to start a connection, the router doesn't know which computer to send it to. All it can do is ignore the attempt.

That effectively blocks everything on the internet from trying to start a connection to a machine on your local network.

And that makes your router a powerful incoming firewall.

Your router will not, however, filter outgoing traffic.

Software firewalls

Software firewalls are programs that you install on your computer. They operate at a very low level - as close to the network interface as possible - and monitor all your network traffic. While all of the network traffic still technically reaches your machine, the firewall prevents malicious traffic from getting any further. Much like a router, a software firewall prevents the rest of your system from even realizing that there is any malicious traffic.

In addition, some software firewalls can often be configured to monitor outgoing traffic. If your machine becomes infected and some malware attempts to "phone home" by connecting to a known malicious site or tries to infect other machines on your network, a software firewall can often warn you and block the attempt.

All versions of Windows after XP have a software firewall built in and all versions after Windows XP SP2 have it turned on by default. Windows may even annoy you into ensuring that the firewall is either turned on or that you're aware of the risks in not having it turned on.

The Windows firewall is primarily an incoming-only firewall.

Choosing and setting up a firewall

In general, I recommend using a broadband router as your firewall.

"Software firewalls are critical when you can't trust other computers on your local network."

There is disagreement as some believe that an outgoing firewall is important. My position is that an outgoing firewall doesn't really protect, but it simply notifies after something bad has happened.

Routers are pretty common and nearly a requirement for anyone who has more than one computer sharing an internet connection. If you have a NAT router, you have a firewall without needing to burden each computer with additional software.

Software firewalls do make sense in a very important situation:

  • Software firewalls are critical when you can't trust other computers on your local network.

Don't trust the kids' ability to keep their computer safe from? Enable the software firewall on your computer.

Heading out to the local open WiFi hotspot? Turn on the Windows firewall immediately.

In later versions of Windows, the built-in firewall has matured to the point where it's actually quite reasonable to leave it on all the time, even if you're behind a router. It seems to impact operations very little and saves you from remembering to turn it on when you travel or have that not-so-trustworthy guest on your network.

Firewalls are only a part of the solution

The bad news is that a firewall can't protect you from everything. A firewall is focused on protecting you from threats that arrive via malicious connection attempts over the network. A firewall will not protect you from things that you invite onto your machine yourself, such as email, attachments, downloads, and removable hard drives.

Nonetheless, protecting from network remains critically important.

(This is an update to an article originally published May 14, 2004 and updated September 26, 2009.)

Article C1941 - June 5, 2011 « »

A version of this article that can be republished without cost is available at ArticlesByLeo.com terms).

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

34 Comments
Jo Parlier
December 13, 2004 6:42 AM

I have a McAfee Fire wall on my computer, do I need a privacy wall also? If, yes why?

Lim
December 20, 2004 4:47 AM

Hi... pls help me or give me some suggestion :)

I have 2 firewalls in my office, Firewall A and Firewall B

Firewall A (the one connect to Internet):
trust ip: 192.168.1.1/24 (static IP)
untrust ip: DHCP (ISP assigned)
NAT is on at both trust and untrust interfaces.
DNS set.

Firewall B (connect to my NIC):
trust ip: 192.168.11.1/24 (static IP)
untrust ip: 192.168.1.34/24 (static IP)
my pc ip: 192.168.11.2 (static IP)

The picture is:
Internet --- Router --- Firewall A --- Server --- Firewall B --- my pc

When I try to login into my PC, it said, Domain server was unable to validate my password. I have been told if i set the IP as static in my PC, just ignore that error message.

Do you have any idea what went wrong?
Thank you very much....

Xiah
March 8, 2005 10:42 AM

i have Windows XP and everytime I reboot my computer my Windows FireWall is turned off and I have to turn it back on why does it do this?

XP
July 29, 2005 4:06 AM

to Xiah:

Goto control panel- administrative tools - services.

Scroll down until u find Windows Firewall/ Internet Connection Sharing, double click, and set the start-up type to: automatic

HTH

tricia
August 9, 2005 10:47 AM

hi leo i have windows xp service pack 2 and it comes with fire wall but i cant switch it on .mypc has lots popups all the time ruining everything and slowing down my pc
please help
tricia

Leo
August 12, 2005 7:21 PM

What happens when you try to turn on the firewall?

The firewall will not stop all types of popups. You need to make sure that popup blocking is enabled in yoru browser, and make sure to run up to date anti-virus and anti-spyware tools regularly.

Herbert Talabis
December 5, 2005 7:28 AM

I'm using Zonealarm & i'd tell you that its blocking my program including "download accelerator" "Yahoo Messenger" "Opera" etc... Whats next?? "Explorer.exe" Thank god i've read the manual otherhand, none of my program would work cause Zonealarm would be blocking all my applications.

ben
January 27, 2006 8:39 AM

how do i develop/create a firewall software?

which programmimg language is advisable?

i intend using Java

Rusty
July 8, 2006 9:59 AM

You note that the downside of a hardware firewall is that it only blocks incoming, not outgoing traffic. Then for a software firewall, you recommend the built-in Windows XP firewall. However, unless things have changed since I last looked into it, doesn't the XP firewall block only incoming as well and let all outgoing go, no matter what?

joey hiles
June 5, 2007 8:08 PM

i turned my firewall off and it still says its on what do i do

blue
June 14, 2007 3:01 PM

my msn cant connect as i get the massage that the firewall has blocked possibly but i dont think that it is the case can u help me please

betty
January 4, 2008 5:36 AM

I have a wireless windows xp computer and just recently my computer will not hook up with the interent. I have tried everything. Could the firewall be preventing it from accessing it?

sisca
July 19, 2008 7:23 AM

hi leo,i have a problem with my windows live messenger.when i try to sign in windows live messenger box came out and say that "windows live messenger has made several failed attempts to sign you in.your firewall may be blocking windows live messenger from connecting to the service.please review your firewall settings.see the retailer's instructions for more information".can u help me to solve my problem??thank you

Avie
August 18, 2008 6:03 PM

Leo,

Hi, I am looking to set up a firewall in my home that will allow me to set up a seperate profile for each person in the household. I have five children ranging from 18 to 4 and would like to set up distinct whitelists for each person. I have been able to find a firewall that supports setting up a profile by category to block but have been unable to find one that gives me the flexability to block by category for some uses and by whitelist for others. Please keep in mind that multiple people use the same computer.

Thanks for your help

kokrui
September 14, 2008 6:53 AM

my msn cant connect as i get the massage that the firewall has blocked possibly but i dont think that it is the case can u help me please

Osito
December 12, 2008 1:53 PM

Hi Leo I just have a question...when I try to go to the Internet...it takes a lot of time to open just yahoo,per say, when I try to diagnose the problem it says that my firewall is blocking the Internet...but I don't know how to change it...I have reseted the modem, but is useless...When turn my computer I can go the Internet and go to wherever I want,but after a couple of minutes it blocks again...and it takes a lot of time to open a page...Any suggestions of how can I can fix this problem...

Rezwan
December 14, 2008 12:55 PM

if i tries to sign in to my Windows Live Messenger, it displays : Several Attempts to sign in, you firewall may be blocking you to connect to the service.
Leo Please help me.
Thank you

jade
February 21, 2009 7:16 AM

My computer wont let me download anything.Is my firewall doing this?If not what can I do so I can download things again?

Nowhere near enough detail. I need specific error messages that you see and the specific steps you're taking to have any hope of helping.
- Leo
21-Feb-2009

Augustine
April 18, 2009 10:53 PM

i'm having the same problem like others. pop out showing "windows live messenger has made several failed attempts to sign you in.your firewall may be blocking windows live messenger from connecting to the service.please review your firewall settings.see the retailer's instructions for more information" when signing in. pls help..

ANoop
May 3, 2009 10:33 PM

Windows Live Messenger Has made several attempts to sign you in. Your firewall may be blocking Messenger from connecting it to it's service. See the retailers instructions for more info"

I get this error while signing to WLM... please help me....

Lydia Grant
September 4, 2009 10:08 AM

Where I work we all have the same lap tops and/or computers. All settings are to be the same. Some people can access a particular web site but I cannot. I have searched for something that is set differently than the others but I am frustrated. Please help.

David
September 29, 2009 6:58 AM

ummm, Leo, stick to computers. The Dash Panel (not the metal and plastic construction you can see and touch and which is correctly named Instrument Panel in the automotive industry) or Floor Panel which are steel panels under your feet and between the interior of the car and the engine compartment, are NOT there primarily to "prevent fires from roasting the driver and passengers". Yes, it may have that benefit in certain rare circumstances but its sole purpose is as a structural component of the body and to mount 'things' on. And rest your feet :P. If you call that part of a car a firewall, it's poorly considered slang and quite misleading in its literal sense. Yes, I know people use the term but they're not using industry terminology.

The original firewall was a functional element of adjoining houses to prevent a fire in one from spreading to the other. In that context, a computer firewall is a perfect analogy.

Sorry to be picky but in a previous life I was an IP (Instrument Panel) engineering specialist in the auto industry - I couldn't let your example go unchecked.

Apart from that; great article.

Ramesh
September 29, 2009 9:09 AM

While I understand a broadband router could be an effective hardware firewall for PCs, I am not clear if it is functionally any different between a modem connected to a router vs a single unit with both modem and router.

Should be roughly equivalent. Quick test: if the IP addresses on your local network are "192.x.x.x" addresses, you're probably good - you have NAT router, somewhere.
Leo
30-Sep-2009

Jack Murphy
September 29, 2009 11:02 AM

Reading the article on Firewalls reminded me of a personal experience I would like to share with your readers. I Signed up for magicJack service for making free phone calls through your computer.[$40 first year, $20 yearly after.] For five weeks I could not make the thing work. Finally a company engineer shut off my Verizon Firewall and allowed only my Windows one. I began making my calls right away. The voice may fade a little sometimes but I am happy with it. Just watch out for two firewalls causing problems.

Mike Noonan
September 29, 2009 3:35 PM

I'd agree with only a hardware firewall if only one computer is being protected and it is a desktop computer and not a laptop that goes on the road.

The hardware firewall only approach fails to detect other computer(s) intranet access on the same subnet, say a home based LAN. If one of the other computers takes in a virus, e.g., via a USB flash drive, it could be spread to the other computers via rouge network access.

Therefore, I recommend always using a software firewall except for as noted above.

Jennifer
October 2, 2009 6:44 PM

Hi Leo,
AT&T came out yesterday to install internet service at my home. It's wireless and my desktop is working great. However, when I tried to access the internet from my laptop, it doesn't seem to work. Under "Network Connections", I right clicked on the "Wireless Network Connection" icon and when I click on "Enable" it says "Not connected, Firewalled" Is it possible to change the firewall settings so that I'm able to access the internet? I don't want to remove the firewall completely, for the reasons you stated in your article. Thanks!

Tonyo Carrera
August 31, 2010 8:44 PM

it is my personal experience that windows xp serv pack any is fully worthless protecting systems.Just check your windows internet temp folder,Every PC or laptop is under a constant attack of doubleclick and other uninvited intrusive most cases virus spyware and other malicious harmful often fatal results.
Fatal I mean that the wife of the poor husband finds childporn on the PC delivered direct or indirect by these dispeakable sites.When you start getting unstoppable popups you must run a scan on your pc!!I have used spybot search and destroy and its proven really great finding eliminating these spies.

Snert
June 7, 2011 9:57 AM

My experience; by using a software firewall that monitors traffic you will know if someone is 'phoning home' from unexpected activity.
The firewall I us has an icon on the Toolbar that shows innies and outties when there's traffic and if there's any when there ought not be, I go varmit hunting.
Despite all the safty precautions, even the best defenses can be breached. Inattention, a short between the ears, a mis-click - anything.

Allan
June 7, 2011 1:09 PM

I have a 'thingamajig' that my telephone line plugs into and then connects to my computer. Is it a router? or modem? or what? How do I know? It has 4 separate places that computers can plug into. It say WLAN on the front.
Thanks

Sasan
June 7, 2011 5:52 PM

Allan
Sounds like a modem!

Mark J
June 8, 2011 12:13 AM

@Allan
That's a WLAN router. It usually also contains a modem to send the signals out to the phone lines.
http://ask-leo.com/whats_the_difference_between_a_hub_a_switch_and_a_router.html

GREG JACKSON
June 9, 2011 11:05 AM

I've been using ZoneAlarm (free version) for several months now. At first it's somewhat annoying as it learns (configured by your input) but a few weeks later it hunkers down and warns of new or unusual traffic--- stops it--- provides info for you to decide. It does what its supposed to do so I like it. I enjoy looking into the log to just to see what its been doing. Sometimes it seems to know what to do, like a deleted program in the recycle bin trying to connect to the outside. Blocked, w/o my input. Pretty cool.

Valid and useful, for sure. The problem I often see, though, is that the average computer user is confused by those annoying warnings, and often have no idea how to answer.
Leo
10-Jun-2011

jasom
September 5, 2011 12:43 AM

i cant play maplestory i realised that they said to check my firewall but i dunno what is that

John O'Shaughnessy
March 4, 2013 9:28 PM

thanks Mr. Nuttree... interesting facts.... especially if your ISP is providing a NAT router.. I was wondering about a firewall and what to use; through this article I got prompted to check my router settings and happily discovered a firewall is already active :)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.