Firewall config confusion

I prefer to use at least some kind of firewall. For a while, I've been relying on my router's firewall, with the addition of Windows Firewall... However I've run into some issues that are forcing me to find an alternative way, and I am having trouble with it.

Essentially, I have trouble configuring a firewall. I am using an application which requires a wide range of open ports for communication across the Internet. Wide as in 50000-65535. My router's firewall does not allow opening a range of ports, which renders the application unusable. So, I "dmz'd" as best as I could the router's firewall, and set up ZoneAlarm, since I don't believe Windows Firewall allows opening port ranges either. At least I didn't see such an option when I looked it over. I'd rather use Windows Firewall but I don't know if it can do what I need it to do.

However, if I use the recommended setting for Internet, the High security setting, I can't even browse the Internet. Medium setting works, but I hate feeling like I am jeopardizing something security-wise.

Furthermore, I am feeling uneasy as to what ZA is considering to be the Trusted Zone. When I installed it, it identified a "network" which I assumed was the LAN (consisting of this computer (XP) and the 2nd computer (2K). I assigned that as the Trusted Zone because these two computers share folders and printers... I hope I did right.

I'm sorry if this isn't making much sense but I'm not really used to dealing with firewalls. In the years past I've pretty much gone with default settings with whatever I've been using, so long as it has worked. I think this time around a lot more tweaking is needed.

This is the scenario:

Two computers, one is a DELL running XP Pro, the other is a COMPAQ running Windows 2000 Advanced Server (My father-in-law's old copy, he didn't need it anymore and I don't have the workstation version so I'm running that as a desktop OS). Both are connected to a Zonet ZSR0104CP router, which is then connected to a cable modem, Arris TM402G/110. The Arris, as far as I know, doesn't have any firewall capabilities. The router DHCPs the two comps from a range of two possible IPs. The Zonet doesn't have firewall set up because its firewall cannot be configured correctly for an application on the DELL to be able to function.

The DELL is running ZoneAlarm. The COMPAQ at the moment has no firewall configured. Then again it is a server OS so I'd assume it's relatively locked down by default.

Some questions:

1. Does the COMPAQ need to be running its own firewall application?

2. The Trusted Zone in ZoneAlarm is specified as 192.168.1.0. 192.168.1.1 is the router...what does 192.168.1.0 refer to?

Since installing ZoneAlarm, web browsing has gotten slow, and I am getting server response failures for no reason.

I feel like this is unnecessarily complicated. If you have any suggestions as to how make this simpler, I welcome the input.

__________________
Hello, World!

Honestly, unless you're running some kind of server, a simple router should be sufficient enough in conjunction with Windows Firewall.

I've found ZA to just be bloatware for most people.

__________________
Podcasts: http://www.hak5.org; http://securabit.com
Xbox Live gamer tag: dualism
Games: GTA 4, COD4

Hmmm, yes... If Windows Firewall could be config'd to allow port ranges, I'd use it instead. I am not sure why you mentioned the router; as it is the router is not blocking anything; it is allowing incoming packets through ALL ports, which is the only way this will work. Hence the software-based, 3rd party firewall.

__________________
Hello, World!

To start off answering your specific questions
No, like wifiknight said as long as you are behind the router, the windows firewall is sufficient. Now the router is not blocking anything like a firewall would, but it is providing your computers internal to your network with a Network Address Translation (NAT). With the NAT an attacker can't see any computer on your network, only the router. He/She would have to hack and gain access to the router before they could even see your local desktop, and then have to hack even more to gain access to your computer. Too much effort on the attackers part to gain access to someone's home network.


192.168.1.0 refers to the entire class c range 192.168.1.1 - 192.168.1.254


Windows firewall doesn't allow you to open a range of ports, to do so means you have to list each port individually. With the extremely wide range you have posted, opening each port individually wouldn't be worth the effort. You can however tell windows firewall to allow a program to have full access to the internet. I would try opening the firewall that way and see what happens.

I hope this helped.

__________________
A wise man can learn more from a foolish question than a fool can learn from a wise answer. ~Bruce Lee

Yeah, if you're looking for a more custom solution, then i'll give this a few mins of thought. It all depends on what you're protecting honestly.

If you really needed to have that range specifically open for something, there are ways to do it without using bloatware.

__________________
Podcasts: http://www.hak5.org; http://securabit.com
Xbox Live gamer tag: dualism
Games: GTA 4, COD4

Thanks for the replies, fellas.

My 2nd computer died again, the hard drive won't run, so I guess that solved my networking problem. I can just forget about the router for now.

I appreciate the replies, especially the bit about configuring Windows Firewall was interesting and educational.

__________________
Hello, World!