Firewalls

2009 Mar 07

A packet filter firewall can reject packets based on direction and values in the header. These decisions could include:

Source IP Address
Destination IP Address
Source TCP/UDP Port
Destination TCP/UDP Port
TCP/UDP Flags
Protocol in use
Direction coming in or going out through the firewall
Interface coming from a trusted network or not

A set of rules are made and looked at in sequence, with the first match being used and applied to the current packet. For example:

Action	Source IP	Destination IP	Protocol	Source Port	Destination Port	Flags
Allow	Inside network address	Outside network address	TCP	Any	80	Any
Allow	Outside network address	Inside network address	TCP	80	>1023	ACK
Deny	All	All	All	All	All	All

External Links
www.openbsd.org/faq/pf/filter.html

Better results can be achieved using state, by remembering information about every active connection. This is sometimes called Stateful Packet Filters.

Source IP	Destination IP	Source Port	Source Port	Timeout (sec)
10.5.75.92	4.4.39.27	2341	80	60
42.9.124.7	14.93.72.99	3361	80	45

When a TCP packet has the SYN flag set the state table creates an entry for it. Then a packet is allowed only if it part of an existing connection. For example, a packet with ACK will not be allowed if there was not one with a SYN first. The timeout field tells the state stable logic when to delete an entry, unless subsequent packets come through continuing the connection. This is an over simplifcation of the actual state logic needed.

Proxy based firewalls look at the application layer to make decisions about what should pass through. A proxy can authenticate users with the aid of a user_id and password dialog. It make sure that all packets conform to the application's protocol - and ignore the rest.

For example, it can be verified that that messages are properly formatted HTML, rather than just verifying that their TCP destination port is 80. A proxy server can allow FTP Gets but disallow Puts - preventing users from transferring files out using FTP.

A proxy server can improve performance by caching frequently accessed data. Web proxies can do this. Proxies have more to do than the two above types of firewalls and hence a slower, needing more CPU cycles. It is usually best to combine the different kinds of firewalls.

A Personal Firewall is installed on a particular computer and protects only that computer. When something unexpected happens a personal firewall can ask the user what to do. There is a fange of settings from permissive to paranoid (which rejects all suspicious packets). Programs running on the machine are not analyzed - other tools are needed (e.g. virus and spyware detectors).

2005-2009