Skip to content

FireRack Home

Sections
Personal tools
You are here: Home » FireRack Features » Firewall Rules » Beginners Overview
 

Beginners Overview

Document Actions
This gives a very basic overview of how firewall rules work. Those experienced with the use of firewalls need not read this page.

Basic Packet Filtering

The most fundemental function of a firewall is packet filtering. No matter how sophisticated firewalls have become, this is still their most important task.

All data passing across a computer network, and hence all data passing through a firewall, is broken up into small "packets". Each connection can therefore be viewed as a stream of packets. Simple packet filtering relies on examining the characteristics of each packet, comparing this to a firewall rule-set and deciding whether or not the packet should be allowed to pass.

The main properties of a typical TCP packet of data are as follows:

  • Source IP address (where the packet is coming from)
  • Destination IP address (the intended destination of the packet)
  • Source port (a number from 1-65535)
  • Destination port (a number from 1-65535)
  • Various header flags (e.g. syn-flag - used only when creating a new TCP connection)

Just about every firewall will allow you to "match" against these properties in your firewall rules. Firewall rules follow the following basic structure: 

 If the packet is from a friendly IP Address
 and is going to the server's terminal services port
 (port 3389) then allow it to pass

Usually a well-configured firewall will not allow any packets to pass unless they have been explicitly allowed by a matching firewall rule. Firewall rules are usually written as a list, and this list is read from the top down. The first rule to completely match the properties of the packet will trigger that rule, usually resulting in the packet's acceptance or rejection. More exotic "targets" are also available with FireRack, such as the Tarpit.

The disadvantage of simple packet filtering is that the rule-set is not aware of the existence of connections, as each packet is viewed in isolation. Having an awareness of connnection state is called "stateful inspection".

Stateful inspection

This was the next logical step in the evolution of firewalling. Put simply, stateful inspection gives the firewall an awareness of connections, as opposed to looking at each packet in isolation.

The firewall maintains a state table which records information about the connections which the firewall has seen recently. So, in addition to being able to match the properties of the current packet under consideration, the firewall can also consider whether or not that packet is part of an existing connection, or if it is a valid first packet in a new connection.

Created by admin
Last modified 2004-05-04 10:19 AM