connecting a secure computer directly to the internet without a router

If you have a fairly secure computer how dangerous is it to connect to a modem directly without a router in between. Let's say the computer is running Debian as a host and Whonix in VirtualBox, a VPN on host and has the appropriate firewall rules in place. Would it still be important both for security and the integrity of Tor functioning properly to have a router (DD-WRT) in between the modem and the computer to act as a firewall and an added layer of protection or is it irrelevant. This is all assuming nothing else is needed, no network sharing or VoIP or VPN hosting or anything like that, simply internet access to the computer which the modem by itself can provide.

52.2k 14 14 gold badges 124 124 silver badges 183 183 bronze badges asked Jul 27, 2014 at 11:26 Steve Steve I second that assessment. Commented Jul 27, 2014 at 13:08

2 Answers 2

What your ISP provides is a public IP address. When you use a home router, the router assumes that IP address, and forwards (with NAT) the connections from your actual computer. Any connection attempt to your IP address (from the outside) ends on the router, who will, generally, simply drop them.

If you do not use a home router, then your computer will own the public IP address. Connections from the outside will reach your computer directly. As long as your computer does not run services which can be contacted from the outside, and its IP stack is not bug-riddled, then it should be equally safe. After all, a home router (especially one running DD-WRT) often uses the Linux kernel, and therefore is no more secure than your Debian system.

Arguably, you may (and should) check for security updates for your Debian system on a daily basis, much more often than you update your DD-WRT router, so one may say that plugging the Debian machine directly to the modem is more secure than using a home router.

Just make sure that you know what runs on your machine. Use netstat -an to list the currently open network services: you are interested in TCP and UDP services bound to 0.0.0.0 (IPv4) or :: (IPv6); 127.0.0.1 and ::1 are "localhost" and thus do not denote Internet-facing services.