When the man from Comcast departed, he left my Mac attached directly to the Comcast-supplied cable modem. Although this was working OK, the other LAN-attached computers, printers, etc were without Internet connectivity. Also, the one Internet connected Mac was exposed to whatever mischief might occur by way of the broadband connection. This mischief turned out to be considerable, as revealed by the router log that was produced later.
So I went to my near-by computer store and bought an SMC Barricade (SMC7004VBR) router and installed it between the one Mac and the cable modem. This router provides Ethernet switching capability through four Ethernet LAN ports, and connects to the cable modem (WAN) for Internet communications. Connecting one of the switched LAN ports to a 4-port Ethernet hub allowed sufficient expansion to include all the on-site devices.
The SMC router is smaller and less expensive than several other such units that I have used, and it provides excellent security (firewall) functionality. It also keeps a log of intrusion attempts, which is comforting to see, even if pretty much useless as far as any remediation goes.
The setup procedures for this kind of router-firewall are not immediately obvious—even to those that don't consider manual reading a sign of weakness <grin>. So I'm happy to provide a few guidelines here that may be helpful for people new to cable broadband. Perhaps some of these suggestions will be of use for xDSL users, also.
If a cable modem is already installed, remove power and disconnect the cable modem from the computer; then connect the router in its place. Cat-5 or Cat-5e Ethernet cable is currently the best choice for 10baseT and 100baseT Ethernet connections. The router will be connected to the modem when setup is complete.
a. In the router manual, find out what is the factory supplied router internal IP address. It will look something like: 220.127.116.11. Also, find out what the factory supplied router access password is. It will be "Admin" or some other easily guessed word.
b. Power up the router first, and then the computer and launch a browser [see note]. Make sure that any proxy, such as Privoxy, is turned off and any proxy settings in the Network Pane of System Preferences are removed or disabled. Otherwise the browser may be unable to communicate with the router.
c. Enter the factory router IP address into the browser as you would a web site. Example: <http://18.104.22.168> and key return. This should take you to the router access web page, resident within the router firmware, and you should see a login window.
d. Enter the factory password in the designated space and key return. You should now have access to all of the router parameters.
a. First thing you want to do is change the router password to prevent unauthorized access via the easily guessed factory password. Find the password change section of the router parameters and enter a new password.
b. You likely will want to set the router to accept and maintain its clock according to the time set in your computer. There should be a set of parameters that address the "how" and the "from where" the time will be obtained by the router.
c. Most routers have an option to permit or deny remote management. For security purposes, I suggest that you set this parameter to not allow remote management, unless you yourself have a compelling need to access the router from an external location.
a. There are two modes for external IP addressing of your router by your Internet Services Provider (ISP). You may choose dynamic addressing or static addressing in the Wide Area Network (WAN) parameters. In the usual home network, your ISP will be using dynamic addressing, and you must then select (enable) that mode via DHCP. There will be a parameter selection to specify DHCP protocol.
b. The ISP will provide at least one, usually two Dynamic Name Server (DNS) IP addresses. These addresses may be made available automatically by the ISP, and so you may not need to specify them. But if you must do so, you will find parameter space to enter them in this format: 22.214.171.124 and 126.96.36.199 (examples only).
c. All modern personal computers have a unique, built-in Media Access Control (MAC) address. It will look something like this: 00:0a:95:87:78:63. You will be well advised to set your router to "spoof" your computer's MAC address, so your cable ISP will not be confused. This process, sometimes called "cloning" is simply that of transferring your computer's MAC address to the router. The ISP will see the router presenting the same MAC address as your computer has previously provided, if there has been previous communication prior to installing the router. In the Network Pane of System Preferences, find out what is the MAC address of your computer. Carefully copy this MAC address to the appropriate space in the router parameters. This parameter probably will be located in the WAN section, but it may be elsewhere, and it may be in a subsection labeled "Advanced."
d. Most routers have an option for "invisibility", meaning that they can be set to not respond to a "ping" contact or to port scanning. The option to "discard ping from WAN" (or similar wording) may be located in the WAN parameters, or it may be in the Firewall parameters. It is important to enable this option for security.
The router and any computers, printers or other devices that are LAN connected must have IP addresses assigned to them. There is no reason to change the factory set IP address of the router; leave it as is. There likely will be parameters for assignment of fixed IP addresses (within the router's fixed IP address range) to the LAN attached devices. It is possible that you may need to ensure that certain special-purpose devices always have the same IP address, in which case you can manually assign fixed IP addresses. But in most network environments it is simpler to let the router assign all the non-routable, internal addresses via DHCP. In this normal situation, set parameters to:
a. The router may support a virtual server function whereby computers elsewhere on the Internet can access your computer for services, such as web pages. These services require that specific ports be left "open" to the Internet, and thus pose a security risk. For the normal home network, this virtual server function should be disabled. Usually this may be done simply by not entering any MAC and port addresses to be left open.
b. Some routers allow ports to be opened to public access with specified protocols to support special applications. One such application is telephony, i.e., voice over IP. Most home users do not run such special applications, and so should not designate any ports or protocols for this.
a. The Firewall Parameters may have a section devoted to protecting users from adult sites and adult message content. These parameters may include restrictions for particular computers on the LAN, as designated by MAC address, and also by time of day, etc. These are most generally applicable in a home having young children; settings for use should be obvious.
b. The Firewall Parameters should include an option for "invisibility," i.e., no response to ping and port scanning. This option always should be enabled for security.
c. These parameters may permit specification of a "Demilitarized Zone" or DMZ. This allows designation of one particular computer on the LAN to be opened up to all comers, i.e., has no restrictions or protection. When properly used, the DMZ-designated device executes software to perform firewall functions, and subsequently to route appropriate traffic to the applicable destinations on the LAN. The DMZ should not be enabled in the usual home computer environment.
d. Arguably the most important firewall function for security is that of "Stateful Packet Inspection" or SPI. This is sometimes labeled "Advanced Protection." I do not recommend routers that don't offer SPI. If SPI is presented as an option, it should be enabled.
e. The router may support Virtual Private Networking (VPN), accomplished via PPTP or IPSec security protocols. These are applicable to corporate networks and to home users that are connecting to corporate systems. If you are a retired senior citizen, leave these disabled; otherwise, consult your office network staff for instructions.
a. After all of the above parameter changes have been entered, log out of the router web page; then power down the computer, and router. Connect the router to the cable modem via the router's uplink WAN port using Ethernet cable. All internal, LAN-resident devices that are to communicate with Internet sites or with each other should be connected to switched LAN ports on the router. If there are more LAN-resident devices than there are switched router ports, then an Ethernet hub may be connected to one of the switched ports. The hub will serve to fan out that port to permit additional connections.
b. Then do the following in this order:
c. After a few hours, log into the router from your browser and inspect the logs to confirm that intrusion attempts are being blocked and see what errors, if any, may have been posted.
d. Once proper router operation is confirmed, I am told that it is a good idea to turn off the software firewall provided by OS X (System Preferences:Sharing:Firewall), as it provides no additional protection beyond that offered by the router.
If your router will not communicate with your browser, you might try downloading the old Mozilla 1.2.1 browser and run it in OS 9 (Classic). This Mozilla has excellent compatibility with routers, etc. (This hint courtesy of Jon Thomason)