The 74xGE series of routers rupports a Stateful Packet Inspection (SPI) firewall. What this means is that the firewall is "smart", and it 'inspects' outgoing packets that meet the approval criteria, and allows returning information that is coming back as a result of those "allowed" packets to be let through the firewall. This is pretty typical of firewalls today, but it is actually quite sophisticated and extremely handy.

Anyway, the first point I want to touch on is the question: do I actually need a firewall?

If you have to ask this question, or wonder about it, then, to be honest, the answer is probably "no". The firewall on the 74xGE series is a "hardware" firewall (as distinct from a "software" firewall that runs on your computer such as the built in WinXP one, or something like ZoneAlarm). As such, it performs similar functions to a software firewall, but it also performs differently to a software firewall. It is handy, in that if you run a whole network of computers then you only need to configure the firewall once. It is less convenient, though, simply because of the reason that it runs separately from your computer, and thus has no knowledge of the programs that you run on your computer.

The main reason that you would not need the 74xGE's firewall is that, for pretty much everyone, and especially home users, the Network Address Translation (NAT) that the router performs actually provides the same level of security as the firewall, with only 10% of the hassles for configuration and management. NAT works in a very similar way to the SPI firewall. It checks outgoing packets coming from your internal, private, protected network. It then "masquerades" the internal private IP address of your computer, and replaces the address with the real world WAN IP address of the router itself. The request the goes out into internet land, gets your data, and comes back. Whenever data comes to the WAN side (outside) of the router, it checks to see if there is a NAT session associated with the data. If there is not (eg a hacker probing your WAN IP), then the router discards and ignores the packet. If there is (ie, if the returning data is coming back because of a request from an internal computer), then the router "un"-NATs the data, and sends it inside the network to the computer that requested it. In this way, the NAT acts quite similar to an SPI firewall. In fact, you will often see basic NAT routers (with no firewalls at all) advertised with "natural NAT firewall" features. This is a little misleading, as NAT is not a firewall. But what the manufacturer (or their marketing department, at least) is getting at is that NAT is very similar to a firewall, and often good enough.

Firewalls really come into play when you're running real IP addresses on your internal network, or when you want to control the external access that your internal client computers are allowed to have. If you want your internal computers to be able to access as much as possible, then you really don't need a firewall - you need NAT. If you want to restrict what your internal computers can access (eg, firewall off Messenger, or IRC, or FTP from your small business to stop employees wasting time or download limits), then a firewall is what you'll need. Likewise, if you're running a fully routed subnet of real world IP addresses, rather than a private subnet, then firewall features on your border router can be very useful.

What I'm getting at here, is that if you're going to try to tweak your "firewall" to get as much access from your LAN to the internet as possible (eg, to use DCC, all manner of games, etc), then you really don't entirely understand the need or use for a firewall, and are most likely just thinking that "I need a firewall because I saw that Today Tonight report on 'Bad Internet Hackers', and they recommened that I get a firewall". If that sort of reason is the only reason that you're turning on the firewall features of the 74xGE, then you can pretty safely turn them off again, and save yourself a lot of headaches, because NAT will protect you from any random probe or scan.

However, just to clarify, NAT will not help you with things like:

* Trojans running on your computers and doing things like allowing outside access to your PCs. If you get Back Orifice, or any of the myriad of other nasty backdoor programs, then NAT will happily and merrily allow the data to go out of your network (after all, it originates from your computer). Then, malicious forces out there in internet land can probably use this trojan to connect to your computer. A true firewall, on the other hand (if configured correctly), will stop the trojan from getting outside of your network.
* A dedicated, intent, highly skilled hacker. If you really have something to protect, and someone really wants to get to it, then getting past a NAT router will be marginally easier than getting past a combination NAT router and SPI firewall. However, to be honest, the level of committment and dedication that would be required of the attacker to just get past NAT would not be much less than what it would take to get past NAT and the SPI firewall. And either way, it would be a lot of effort. If you're not hiding multi-million dollar commercially sensitive secrets, governmental national security data, or military black ops programs personell listings, then you really don't need to be too concerned about someone putting that much effort into hacking your router or network.
* By relying on NAT, you can shoot yourself in the foot with regards to security if you play with port forwarding too much. See my post below for more information.

In order to avoid trojans (the greatest failing of hardware firewalls), you would be advised to:
* Either configure your hardware firewall very well; or
* Use a software firewall (these control what individual programs on your computer can use the network, and thus allow you to catch trojans even before the get outside your computer);
AND:
* Use an up-to-date virus scanner. Firewalls do not help you at all with respect to virii. They will help you avoid worms, and sometimes trojans. However, you are still very vulnerable to virii. The good thing about running a virus scanner is that it will also (if you keep it up to date) pick up worms and trojans.
* Use common sense. Don't be a gimboid and run any old attachment that arrives in your mailbox. If you don't know who it came from, or even if you do, but you don't know what it's about, then it's probably a virus/trojan/worm. Don't run it! If some dodgy website wants to you download and install some unknown "browser helper", "software", "plugin", or anything else, tell it to bugger off. There's a good chance it's something dubious. Use your brain.

If you're still intent on running the hardware firewall on the 74xGE, then:

1) Be prepared to learn something. IT professionals don't get paid big dollars to configure things like network border routers and firewalls because it's easy enough for Mom & Pop at home with their $300 SOHO router to do it.
2) Expect that you will get headaches, frustration, and other problems (possibly including, but not limited to, hair loss, temper tantrums, loss of sleep, anxiety attacks, and redness in your eyes).

The first thing that you'll want to become familiar with regarding the firewall is the logging. The 74xGE series has detailed logs of what the firewall is blocking. Usually, looking at these can tell you what's going wrong, and why your favourite Instant Messenger (IM) program or game isn't working. To turn on the firewall logging, go to "Configuration", "Firewall", "General Settings", tick the "Enable Blocking Log" box, and click "Apply". Don't forget to "Save Config to FLASH" if you want your settings to be there if the router reboots. Note, that firmware versions prior to 4.23 had a web interface "bug" in which enabling or disabling firewall logging resulted in your custom "Packet Filter"s being deleted. So you'd be advised to upgrade to the most recent firmware version if you're running something older than 4.23.

Now, you should be able to go to "Status", then "Event Log", and you'll see (among other things) the 74xGE's firewall logs. A good technique is to try to use the software that you're having difficulties with, and then immediately look here to see what was getting blocked.

Here's a typical firewall log message:

Aug 17 10:22:55 NETSPACE:Firewall: INFO : Blocked Prot = 17, 192.168.1.3:12203 > 10.15.254.103:12203 - Default Defense

Here's a breakdown of what the log message means:

Aug 17 10:22:55: The time the event occurred (at least, the time that the router thinks this event occurred, which will depend on whether its clock is set correctly or not).

NETSPACE: The name that has been given to the router.

Firewall: To let you know this is a firewall related log message.

INFO: This is only an information level message, as against a warning or error message.

Blocked Prot = 17: The blocked protocol was number 17. Check out IANA's Assigned Protocol Numbers for what each number means. Common ones that you'll come across are:

1: ICMP. Used for things like ping. Check out IANA's ICMP Type and Code Fields for what different sorts of ICMP packets mean.
6: TCP. The most common protocol on the internet. Check out IANA's Listing of Registered TCP & UDP Port Numbers for what many TCP ports are associated with. Note, however, that many programs use unregistered ports, or even use ports that are registered to other programs.
17: UDP. Used for things like games. The 2nd most common protocol. Check out IANA's Listing of Registered TCP & UDP Port Numbers for what many TCP ports are associated with. Note, however, that many programs use unregistered ports, or even use ports that are registered to other programs.
47: GRE. Used for PPTP VPNs.
50: ESP. Used for IPSec VPNs.
51: AH. Used for IPSec VPNs.

192.168.1.3: The source IP address of the blocked packet. In this case, the source was an internal computer on the default private network (the 74xGE routers run on the 192.168.1 subnet by default, with an IP address of 192.168.1.254, and hand out DHCP addresses in the range 192.168.1.1 to 192.168.1.20).

12203: The source port of the blocked packet.

>: The direction the blocked packet was travelling was internal to external.

210.15.254.103: The destination IP address of the blocked packet.

12203: The destination port of the blocked packet. This is what you need to open up an entry for in your firewall. Firewalls allow or block packets based on their destination port.

- Default Defense: The reason the packet was blocked. In this case, the firewall rules had a default policy of "block everything", and there were no explicit rules to allow this packet (other reasons may include DoS attacks, for instance). Check out Trev's Firewall Log Messages Explained page for more information on this (and other) firewall related log information.

If you're really serious about firewalling, then I would suggest that you start by setting a default policy of "deny everything". To do this, go to "Configuration", "Firewall", "General Settings", select the "All blocked/User-defined" "Firewall Policy:", choose the "Enable" "Firewall Security:" setting, and click "Apply" (also make sure that you ticked the "Enable Blocking Log" box).

Then, you can try to use each program in turn, note the ports that get blocked, and allow them. For instance, web browsing uses HTTP, which runs on the TCP protocol on port 80. When your computer wants to browse a web site, it will open up a network port on your computer (randomly, something like 25830), and connect to the remote web server on TCP 80. To allow TCP 80, you would go to "Configuration", "Firewall", "Packet Filter", "Port Filters...", "Add TCP Filter...", specify a "Start Port" and "End Port" of 80, set "Inbound" to "Block" and "Outbound" to "Allow". This will allow outgoing data on TCP 80, but will block anyone on the internet who tries to connect to your WAN IP address on port 80.

The 74xGE has built in packet filters for TCP and UDP. For anything else, you'll have to use the "Add Raw IP Filter..." facility, and specify the protocol number yourself.

There are a number of ports that you're going to probably need no matter what. These are:

TCP 53 and UDP 53: DNS services. This allows computers to translate hostnames (eg www.google.com) to IP addresses (216.239.51.99).
TCP 80: HTTP (web).
TCP 443: HTTPS (for SSL secured web sites).
TCP 25: SMTP (for sending email).
TCP 110: POP3 (for receiving email - unless you use IMAP).
UDP 123: NTP (if you've configured the 74xGE to get its time from a time server).
UDP 7070: RealAudio.
TCP 21: FTP.

In general, there is no need to allow anything in an "Inbound" direction, unless you're running a server of some kind. Note that the term "server" is a bit variable, and things like audio/video conferencing or IM software run "servers" to enable two-way connections, and hosting a game is the same as running a game "server" most of the time. Check the logs and make sure of the direction of the firewall block.

For additional information, you may be interested in:

Default Defence - the post that prompted this FAQ.
74xGE Series Firewall Manual
Trev's "Firewall log messages explained" Page

BroadBand Reports Security FAQ
Firewall Forensics

TCP/IP Ports
Practically Networked: Special Application Port List

I find the following web based port scanner to be handy for simple firewall/NAT evaluation:
Broadband Reports Tools
Sygate Online Scan
GRC Shields UP! - ignore all the other alarmist crap on this site.
Security Metrics Free Port Scan & Firewall Test
Speed Guide Security Scan

Allowing all outbound means that your firewall is only marginally different to plain NAT. You won't catch trojans, and you aren't stopping internal computers from accessing whatever they like (which can cause problems if someone infected with MBlaster comes to visit, for instance). However, that said, your setup is very secure from an external point of view. You just have to be responsible and careful with how you manage your internal computers. For the record, here is my firewall config, which you'll find is similar to yours:

I've set the default policy to "All blocked/User-defined".

Type Start Port End Port Inbound Outbound
TCP 113 113 Allow Allow
TCP 1723 1723 Allow Allow
TCP 3000 3020 Allow Allow
TCP 6891 6891 Allow Allow
ICMP N/A N/A Allow Allow
47 N/A N/A Block Allow
TCP 0 65535 Block Allow
UDP 0 65535 Block Allow

It's essentially not different to running with the firewall disabled...

NAT Security and Port Forwarding/Virtual Server/DMZ

The inherent security of NAT that I describe above can be made less secure by the functions of port forwarding (known as "Virtual Server" on the 74xGE). As I described above, NAT will drop any incoming connection that it is not aware is associated with an outgoing connection from your private network. This is a great security feature. However, it has a couple of major drawbacks, the most prominent of which is if you actually want to receive unannounced incoming connections for some reason. Historically, the only reason you would want to do this would be if you were running a server of some sort, such as a web server, mail server, FTP server, IRC server, etc.

Nowadays, however, there are many more reasons that you might want to run a "server". Most of these reasons are not for "true" servers (although some are), but are analogous in their functionality because a program wishes to open ports on your computer and listen on them for incoming data for some reason. Ths simplest of these is hosting multi-player games. By hosting a game, you are essentially running a "game server". As such, you'll generally find it necessary to use the "Virtual Server" functions of the 74xGE to port forward 1 or more ports to your internal game host computer. This allows other people on the internet to "log in" to your network game. Other common examples are multi-media audio/video conferencing and chat software. These typically want to open up ports on your computer and expect that the other people involved in the conference or chat will be able to directly connect to those ports on your computer. Likewise, you'll often need to setup some port forwards to allow other people this direct access.

While in principle there is nothing wrong with doing this, you need to be aware of the security implications. When port forwarding a port, you'll always need to setup an "Inbound" "Allow" rule for this port on your firewall as well. Otherwise the firewall will block the incoming connection. However, the main issue is that port forwarding pokes holes in your NAT router. If you just allowed an incoming connection on that port through the firewall, the NAT router would still drop the connection. By port forwarding, you're allowing any remote computer at all to make a connection to your internal computer on that port. The remote computer doesn't have to be someone you're wanting to chat/conference/game with. It could be anybody at all who's port scanning your WAN IP address.

Now, granted, this typically won't be a problem, as these sorts of things (1) tend to run on obscure ports that are more difficult to find, and (2) unless you're running the program that wants the ports, then your computer will just tell the connecting computer that there's nothing listening on that port, and drop the connection. However, even if you are running the program that wants the port, how much do you trust it? What is it going to do when it receives an incoming connection? Is it well written? Will it cause your computer to misbehave? Will it crash? Are there bugs in the software that people can exploit to cause it to do malicious things to your computer? Do you trust the programmers not to have included any "back doors" in the software, whereby if they connect to the program on the port forwarded port, and specify particular commands, it will do something like open up your computer for them to control? Now, admittedly, these situations are relatively unlikely, but you should be aware of the possibilities.

One of the most dangerous things about port forwarding, though, is the ability to forward all protocols and all ports. This is really not too much different from having your computer directly connected to the internet with no NAT and no firewall. There are legitimate reasons for doing this (some programs require large amounts of open ports, or use ports that are not able to be predicted and port forwarded). However, if you're going to do this, then you will need a good software firewall on your computer, and you would be advised to actually know how to use it.

There are 2 ways to forward all ports. The first is "DMZ". This stands for "De-Militarised Zone". In the context of port forwarding what it does is forwards all protocols and all ports to the specified internal IP address. Additionally, with the 74xGE, specifying "Protocol" "all" in a custom Virtual Server configuration also has the same effect (see Virtual Servers "all" protocol - redesign for more information). For this reason, I would advise against using the "all" selection for "Protocol" EVER, as this is really a bug in the Virtual Server design.

The reason that the "all" "Protocol" option is really a bug is due to the way NAT, port forwarding, and DMZ work. As you might have considered, what happens if you have custom Virtual Server settings, and also set a DMZ host? The answer to this is that there is a priority to NAT and port forwarding. If a packet (a piece of data) from the internet arrives at the WAN IP address of your 74xGE, it is checked to see how it should be handled:

1) The highest priority is if the data is associated with a current NAT session. If, for example, your computer sent a request to a web server (TCP 80) from TCP 20001, then the data will return on TCP 20001 from the web server. The 74xGE remembers this, and forwards the data to the internal computer.
2) If there is no NAT session attached to the incoming data, the 74xGE checks for a custom Virtual Server configuration option for that protocol and port. If you've setup a Virtual Server for TCP 20001 for some reason (eg a game server), then the data will be forwarded to the appropriate internal computer.
3) If there is no NAT session, and no custom Virtual Server configuration, but there is a DMZ host specified, then the data will be sent to the DMZ host. If there is no DMZ host, then the data will be dropped.

As such, it is only possible to have 1 DMZ host. I'm not exactly sure what happens if you have a DMZ host and specify an "all" "Protocol" in a custom Virtual Server configuration, but I would imagine that the list is processed from top to bottom. As such, any custom Virtual Server configurations and the DMZ host (if set) that occur after a custom Virtual Server "all" "Protocol" would effectively be ignored.