Firewall necessary?
 

My NAT router (Netgear WGR614) has a SPI firewall and blocks ICMP ping requests, and all ports - except for those I open myself - are stealthed according to Nmap and miscellaneous security websites. Is it a waste to install a firewall on my FreeBSD server also (the only forwarded ports are SSH, FTP and HTTP)?

Doing firewall at the server level gives you an additional layer of protection. If they somehow break through the router or something happens that resets it to defaults having the additional firewall will slow them down or stop them. Exploits found for your router are not likely to be exactly the same as exploits found for iptables.

Security is all about "hardening" the target. The harder it is to hack you (or break into your house) the more likely it is they'll move on to a softer target. So if you have a lock on your door and a thief breaks in he'll have another challenge if he finds all your valuables are in an embedded safe with a combination lock.

Having a firewall running on the client, as well as on the router, is not a bad idea, it's called Defense in Depth. If you trust the router, and yours is the only host on the subnet, then you don't need the client firewall.

I run a firewall on my desktop, but open some ports to the LAN. Those ports are blocked at the network firewall (actually, it drops all and only allows some... only SSH, actually).

I do this just in case my firewall is compromised (which would, admittedly, give the attacker access to password-protected SMB, a couple of NFS shares (i.e., deb repository), and cupsd).

I only use IpTables, my router is configured to port-forward everything to my (Linux) Pc's static Ip, but the most hazardous traffic is filtered out by MY OWN ISP, can you believe that?, i only receive some ocasional alerts due to the P2P like setup

What kind of traffic does your ISP filter?

It is not unknown for ISPs to do their own filtering. I know that Cox filters traffic. I also know that Verizon does not appear to filter traffic before it reaches my LAN.

I have my gateway filtering all inbound and I allow all outbound (not my choice, as the gateway device won't allow me to filter outbound), yet I also use Snort in a manner that I can see all outbound traffic. I also monitor internal traffic. Since my gateway won't let me get granular in applying outbound filters, I use Snort to glimpse traffic so that I know when a server is getting hammered or may be infected and propagating outbound.

I also have poked holes in my gateway, allowing port 22 and port 3306 to one machine, yet I also have a firewall on the machine that serves port 22 and 3306 traffic. I'm glad that I do, as I've found that there's an infected machine out in the wild that has begun hammering my MySQL server. Since I'm only allowing certain IPs to connect on ports 22 and 3306, I'm OK, but it's highly irritating to see my logs bulk up because of one persistant IP.

So, I agree...security-in-depth (or layered security) is the better approach, especially if you're using a gateway router that isn't as configurable as a *nix firewall.

Want to know if your isp filters the traffic?
Visit:
https://www.grc.com/x/ne.dll?bh0bkyd2

If it reports ports that you have opened as if they were closed or sthealted, then your Isp is filtering the traffic