It depends.. Do you trust all users/computers that is connected to your local network?

Dang it - I forgot to post that. Yes I do. I am down to one or two Windows PCs. One being my HS3 box with W7, MS Essentials updated, Chrome browser Flash / PDF, only surfing is for manuals and listening to Pandora. Most everything else is Android or Chromebook.

Thanks for the response.

I will say yes.

It's easy to get some bad code on a PC. And bad code's usably able to spread.

The more firewall the better. But things have to work in daily use...... no easy answer.

Regards
Morten

You are correct - I'll just keep manually opening port ranges that do not include FTP or Windows system ports.

Thanks all!

I am using Norton 360 on all my computers. I have chronic problems of the computers crashing (locking up). I'm pretty sure it is an issue of HS3, my security cameras, and the Norton firewall. About every 3-4 days, I have to restart one of my 3 computers. I am reluctant to eliminate N360. It has found many threats over the years.

SteveQ


Sent from my iPad using Tapatalk

If you are running a home network behind a router on the back of a cable modem is it really necessary to run individual Windows firewalls on individual home PCs?

Yes and no.

Here make it such that any computer inside of the network gets it DNS from the PFSense Firewall mothership.

If you let the browsers get their own DNS from wherever you will have issues.

Here is a bit about DNS Hijacking.

DNS hijacking or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

These modifications may be made for malicious purposes such as phishing, or for self-serving purposes by Internet service providers (ISPs) and public/router-based online DNS server providers to direct users' web traffic to the ISP's own web servers where advertisements can be served, statistics collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.

A number of consumer ISPs such as Cablevision's Optimum Online, Comcast, Time Warner, Cox Communications, RCN, Rogers, Charter Communications, Plusnet, Verizon, Sprint, T-Mobile US, Virgin Media, Frontier Communications, Bell Sympatico, UPC, T-Online, Optus, Mediacom, ONO, TalkTalk, Bigpond (Telstra), and TTNET use DNS hijacking for their own purposes, such as displaying advertisements or collecting statistics. This practice violates the RFC standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-site scripting attacks.

The concern with DNS hijacking involves this hijacking of the NXDOMAIN response. Internet and intranet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (fakeexample.com), one should get an NXDOMAIN response - informing the application that the name is invalid and taking the appropriate action (for example, displaying an error or not attempting to connect to the server). However, if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. In a web browser, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information.

These days go light and still use free AV and AntiMalware and mostly pay heed to what web sites I go to. I let PFSense do the DNS stuff and the computers inside only get their DNS from PFSense.

I do not open any ports to my automation or utilize the cloud for any automation.

Rather here use IPSEC VPN which works fine these days.

Personally Chrome hides things much better than Firefox. That is the way it is. It is a better user experience that drives this. IE: not to see while you are being hijacked. I am guessing if you do not see it then you are OK is what most folks like.

IE: the tablet (any OS these days) does this the best and provides the user with the best experience (while it does it's geotracking, DNS stuff, et al that you do not know about).

Personally here now while typing on my PC I feel much more comfortable than trying to type on my tablet. It just works better for me to use two hands to type on a keyboard and to look at my LCD monitor. Kind of like driving a car in a way.

That and I have a wireless keyboard and stand for my tablet but still prefer the old PC to do this. (guess I am just old fashioned here?)

Now too and lately the ISPs are configuring public wireless on the combo boxes you rent while concurrently locking the user from said configurations.

They advertise this feature as a public service announcement while concurrently using their installed combo base which personally is mickey mouse because you are paying for it.

Similar to paying extra for high definition TV where as HD is now a mandate of television transmissions.

IMO running AV software is needed and the way to go. SO many including Norton use high CPU, and cause application issues. My preference is ESET AV software after years of running 1,000+ seat companies and seeing desktop issues related to McAFee and Norton 360.

Before you try other AV software packages I would recommend shutting off the active network intrusion option. Almost every issue is related to active network packet inspection services of the AV software. Disable that and let the Windows Firewall protect you, and the AV software scan for viruses and threats.

If you were outside on public networks I'd consider Enabling the active intrusion inspection option on your AV software.

-Fred