connecting a secure computer directly to the internet without a router

Question

If you have a fairly secure computer how dangerous is it to connect to a modem directly without a router in between.

Let's say the computer is running Debian as a host and Whonix in VirtualBox, a VPN on host and has the appropriate firewall rules in place.

Would it still be important both for security and the integrity of Tor functioning properly to have a router (DD-WRT) in between the modem and the computer to act as a firewall and an added layer of protection or is it irrelevant.

This is all assuming nothing else is needed, no network sharing or VoIP or VPN hosting or anything like that, simply internet access to the computer which the modem by itself can provide.

score 3 · Answer 1 · answered Jul 28 '14 at 17:44

What your ISP provides is a public IP address. When you use a home router, the router assumes that IP address, and forwards (with NAT) the connections from your actual computer. Any connection attempt to your IP address (from the outside) ends on the router, who will, generally, simply drop them.

If you do not use a home router, then your computer will own the public IP address. Connections from the outside will reach your computer directly. As long as your computer does not run services which can be contacted from the outside, and its IP stack is not bug-riddled, then it should be equally safe. After all, a home router (especially one running DD-WRT) often uses the Linux kernel, and therefore is no more secure than your Debian system.

Arguably, you may (and should) check for security updates for your Debian system on a daily basis, much more often than you update your DD-WRT router, so one may say that plugging the Debian machine directly to the modem is more secure than using a home router.

Just make sure that you know what runs on your machine. Use netstat -an to list the currently open network services: you are interested in TCP and UDP services bound to 0.0.0.0 (IPv4) or :: (IPv6); 127.0.0.1 and ::1 are "localhost" and thus do not denote Internet-facing services.

'can be' more secure...not 'is more secure' - depending on your skill and experience :-) — Rory Alsop, Jul 29 '14 at 08:51

score 1 · Answer 2 · answered Jul 27 '14 at 14:34

Many firewalls are based off Linux or BSD and the software such as iptables, firewalld, pf, etc all work very well.

Without going into much detail, it is possible to secure an internet facing machine if it's a requirement.

I wouldn't call a hardware firewall irrelevant, but it's definitely not required for a single machine. When trying to protect multiple servers, a purpose built firewall makes administration much simpler.

Be conscious of what services you run and then create a rule set that adheres to your needs. It is possible to misconfigure a local firewall just as it is with a dedicated firewall, but if configured correctly the local firewall can be just as secure.

I agree that it can theoretically be just as "secure", however, separate devices also have the added advantage of taking load off of the machine, which is particularly useful if most of the traffic hitting the firewall is uninvited, like a DOS attack. The bad traffic would bounce off and allow the machine to focus only on what it's supposed to do. — TTT, Jul 27 '14 at 15:17

connecting a secure computer directly to the internet without a router

2 Answers2

Linked