"Enable Firewall"

[Authority]

It's my understanding that the only "firewall" provided by Asus Routers is the inherent protection provided by NAT. So what exactly does the "Enable Firewall" button do?

 

[Nullity]

NAT can protect your internal networks from external connections but it won't protect your router's ports, AFAIK.

I dunno exactly what "Enable Firewall" does but I'd leave it enabled.

 

[martinr]

Isn't "Enable Firewall" allowing the application of all the user's iptables rules, such as drop all unsolicited attempts by external IPs to connect plus all the other rules, preloaded and added?

"but I'd leave it enabled." Indeed.

 

[ColinTaylor]

So what exactly does the "Enable Firewall" button do?

Doing a diff on the iptables rules I can see that disabling the firewall a) changes the default FORWARD policy to ACCEPT, and b) removes all the rules (about 11 in my case) on the INPUT chain that drop unsolicited traffic.

So yes, it does do something more than just NAT.

 

[RMerlin]

It's my understanding that the only "firewall" provided by Asus Routers is the inherent protection provided by NAT. So what exactly does the "Enable Firewall" button do?

It's much more than NAT. There are a lot of iptables rules in there to determine what traffic can access the router itself. Which interface can communicate together. There's also the default policies for each of iptables chains.

Without a firewall = everything running on your router would be open to the WAN, including Samba.

 

[Authority]

It's much more than NAT. There are a lot of iptables rules in there to determine what traffic can access the router itself. Which interface can communicate together. There's also the default policies for each of iptables chains.

Without a firewall = everything running on your router would be open to the WAN, including Samba.

Got it. So in my case, I'm running double NAT, so it wouldn't really matter, and in fact might even be desirable to turn off. Thanks for the answers everyone.

 

[Vexira]

do

Got it. So in my case, I'm running double NAT, so it wouldn't really matter, and in fact might even be desirable to turn off. Thanks for the answers everyone.

Double nat is only if you have a modem infront of the router, and havent set it to bridge mode. Which disables the modems firewall, leaving only the routers thus preventing a conflict

 

[sfx2000]

Without a firewall = everything running on your router would be open to the WAN, including Samba

Just remember - NAT is a firewall in and of itself...

If one doens't need to forward ports - all good...

 

[RMerlin]

Just remember - NAT is a firewall in and of itself...

If one doens't need to forward ports - all good...

NAT protects the LAN from the Internet, however it does not protect the router itself from the Internet. Don't forget that the router's WAN interface is a public routable IP.