Using a PC for a Firewall

[kuroteckie]

Good morning techies,

My brother was playing on Destiny 2 the other day and when he won we got hit with a DDOS attack as it temporarily cut off internet connections to my home network. As I skimmed articles and forums on the web, I found that this was happening to others as well. One person who fell victim to it was a cyber professional in IT and posted a lengthy article of advice for people wanting to prevent this from happening again.

https://www.reddit.com/r/DestinyTheGame/comments/77ejwz/cheaters_ddos_and_destiny/


One interesting thing that he shared is that you can use an old computer as a firewall using Intrusion Detection & Intrusion Prevention using

- A👎 (old) computer
- Snort
- PFsense


My question is whether or not this is possible? If it is, wouldn't I have to set up some kind of port mirror or have my router forward the traffic to that firewall PC? I have a stock verizon router and I was under the impression it would able to negate or at least warn me of the increased traffic. Then again, I'm not that versed in the intricacies behind that kind of attack

 

[kanewolf]

A DDOS attack is not something you, as an ISP subscriber, can do much about. By the time you know about it, it is too late. Only your ISP can do things to mitigate.

 

[kuroteckie]

A DDOS attack is not something you, as an ISP subscriber, can do much about. By the time you know about it, it is too late. Only your ISP can do things to mitigate.

Interesting, that's good to know. What about the other part of my question? Am I able to make a firewall on a PC?

 

[kanewolf]

Sure you can make a firewall out of a PC. You have to have at least two ethernet ports. Your Verizon router may be able to be set to bridge mode. That is forcing it to be a modem only. Then you would have your PC-firewall, then a switch and WIFI access port to provide WIFI. The WIFI from your Verizon router would no longer function.

 

[USAFRet]

Interesting, that's good to know. What about the other part of my question? Am I able to make a firewall on a PC?

Sure. Just about any PC made in the last decade would work, given relevant software.
pfSense, untangle, IPCop.
I've used all 3.

 

[kuroteckie]

Interesting, that's good to know. What about the other part of my question? Am I able to make a firewall on a PC?

Sure. Just about any PC made in the last decade would work, given relevant software.
pfSense, untangle, IPCop.
I've used all 3.

Which one do you prefer?

 

[USAFRet]

Which one do you prefer?

Flip a coin.
untangle is a bit more point and clicky, with fancy graphs.

 

[bill001g]

Other than something to play with you are not going to actually accomplish much with a firewall. The router itself when it is running NAT protects your internal machines. When traffic comes into your house from the internet the router will look in the NAT table to see traffic is suppose to be sent to which machine. When it find nothing it just drops the traffic.

This is one of the key rules you turn on in a firewall that says traffic is only allowed to return to your internal machines that initiated the transfer....but NAT does the same because it is stupid.

So you pretty much have eliminated any attacks coming in from the internet with NAT alone. If you port forward then that puts a nat rule in but a firewall likely can not detect any form of attack on a game session.

A DDOS attack is exactly what the names says... a denial of service. You can do nothing all the damage is done. By the time your router/firewall sees anything the bandwidth has already been used to get to your house. To do anything the firewall would have to be someplace in the ISP network. Since you hear of large game companies having their servers knocked offline for many hours even the best firewall in the ISP networks have trouble preventing it.

Key here is never expose your public ip address. Best would be if gamers would not be so desperate to play games that have poor design that it exposes ip addresses. If people just refused to buy these the game companies would be forced to solve this issue.

Your best solution generally is to load a VPN service on your router. This hides your public IP even from your internal machines so only the router knows. Unfortunately there are some games that refuse to run properly over VPN, they are dependent on exposing the public ip.

 

[kuroteckie]

Other than something to play with you are not going to actually accomplish much with a firewall. The router itself when it is running NAT protects your internal machines. When traffic comes into your house from the internet the router will look in the NAT table to see traffic is suppose to be sent to which machine. When it find nothing it just drops the traffic.

This is one of the key rules you turn on in a firewall that says traffic is only allowed to return to your internal machines that initiated the transfer....but NAT does the same because it is stupid.

So you pretty much have eliminated any attacks coming in from the internet with NAT alone. If you port forward then that puts a nat rule in but a firewall likely can not detect any form of attack on a game session.

A DDOS attack is exactly what the names says... a denial of service. You can do nothing all the damage is done. By the time your router/firewall sees anything the bandwidth has already been used to get to your house. To do anything the firewall would have to be someplace in the ISP network. Since you hear of large game companies having their servers knocked offline for many hours even the best firewall in the ISP networks have trouble preventing it.

Key here is never expose your public ip address. Best would be if gamers would not be so desperate to play games that have poor design that it exposes ip addresses. If people just refused to buy these the game companies would be forced to solve this issue.

Your best solution generally is to load a VPN service on your router. This hides your public IP even from your internal machines so only the router knows. Unfortunately there are some games that refuse to run properly over VPN, they are dependent on exposing the public ip.

To my knowledge, stock routers do not have VPN built into them. So what router would you recommend that has the capability of having it's own vpn?

 

[bill001g]

Other than something to play with you are not going to actually accomplish much with a firewall. The router itself when it is running NAT protects your internal machines. When traffic comes into your house from the internet the router will look in the NAT table to see traffic is suppose to be sent to which machine. When it find nothing it just drops the traffic.

This is one of the key rules you turn on in a firewall that says traffic is only allowed to return to your internal machines that initiated the transfer....but NAT does the same because it is stupid.

So you pretty much have eliminated any attacks coming in from the internet with NAT alone. If you port forward then that puts a nat rule in but a firewall likely can not detect any form of attack on a game session.

A DDOS attack is exactly what the names says... a denial of service. You can do nothing all the damage is done. By the time your router/firewall sees anything the bandwidth has already been used to get to your house. To do anything the firewall would have to be someplace in the ISP network. Since you hear of large game companies having their servers knocked offline for many hours even the best firewall in the ISP networks have trouble preventing it.

Key here is never expose your public ip address. Best would be if gamers would not be so desperate to play games that have poor design that it exposes ip addresses. If people just refused to buy these the game companies would be forced to solve this issue.

Your best solution generally is to load a VPN service on your router. This hides your public IP even from your internal machines so only the router knows. Unfortunately there are some games that refuse to run properly over VPN, they are dependent on exposing the public ip.

To my knowledge, stock routers do not have VPN built into them. So what router would you recommend that has the capability of having it's own vpn?

It is actually a fairly common feature but budget models do not have it.

I think asus routers have vpn on most their routers. Most but not all asus router also support the asus merlin third party firmware. This is not quite as powerful as say dd-wrt but it is extremely stable and easy to load. It has fairly advanced vpn abilities.

I forget what the stock firmware has because I have all my asus devices on merlin images.

If you do not like asus tplink has vpn in many of their models on factory firmware.

 

[failboat]

If you have the old pc for pfsense you can run one on that. you will need to pay for vpn like PIA or it will suck and/or steal info from you. the PC needs two NICs.

In the article you linked the op suggested using snort to detect ddos. You can use your proof to get your isp to help you possibly. some of them sell ddos protection ad hoc. they would be running something like snort for that. the packets have to drop before they hit your bottleneck.