Well, all these writeups with no explanation as to what a firewall
really is, at least in idiotese^H^H^H^H^H^H^H^H plain English
You may have heard of a firewall before: your local sysadmin
informs you that no, you can't use Napster
because your university has decided to block it with their firewall
, or perhaps they inform you that your computer needs to be using a proxy server
because you are behind a firewall.
So what is a firewall, what does it do, how does it work, and why do you want one?
A firewall is essentially a computer, piece of hardware, or software, which acts as a fireproof wall
between one or more computers and everything and everyone else
. Essentially, the firewall intercepts all inbound and outbound traffic
from a network
| networked |
| computers |
| ---physical network
| connection to
| firewall |
| ---physical connection
| to _everything_ else
| another | | another |
| computer| | computer|
As it intercepts any information going to and from the machines behind the firewall (anything behind
a firewall is a part of the internal network
, anything outside
the firewall falls into the category of "everything else
"), the firewall decides whether or not to permit that traffic. The way a firewall does this is based upon rules
, which are usually custom defined by the system administrator
Rules can be very broad, very specific, or anywhere in between. Let's say that the system administrator has a server
behind the firewall, and this server is set to accept telnet
requests. The admin doesn't want just any
user to be able to telnet into the machine, because that's a security risk
that can allow the machine to be hacked or cracked. Instead, he only wants for persons in the remote office to be able to telnet into the system. If the sysadmin knows the IP subnet
for the remote office, he can set the firewall to allow only connections from that subnet. This is an example of filtering inbound traffic. If the remote office owned an entire class C subnet
(let's say 207.46.130.x), the administrator would set the firewall only to allow connections from an IP address that is 18.104.22.168 - 22.214.171.124, which he would know for certain would be from the remote office.
The way the firewall would react to requests from IP address
es in the 207.46.130.x subnet would be kind of like this:
Inbound request received for my-telnet-server.everything2.com
Who is the requestor?
Requestor is 126.96.36.199
Requestor OK, permit communication
After that, the firewall would allow all telnet
traffic between the two machines for that session. The catch is, firewalls permit and deny traffic based on port numbers
, or services
. For example, telnet is a service
that runs on port 23
. If aforementioned 188.8.131.52 tried to connect to my-telnet-server.everything2.com on port 25
service), even if the currently permitted telnet session was still running, the request would be blocked by the firewall, because the firewall is only permitting communication on port 23 for the server.
Thoroughly confused yet? Good. Let's talk about outbound communication.
Computers and servers behind the firewall will on occasion initiate outbound traffic. That traffic again must pass through the firewall before it can be seen by the outside world. Since Napster
is still on the tip of everyone's tongue, we'll use an example of how universities block Napster access.
The firewall can be configured (as shown earlier) to allow incoming communication from only one IP address or subnet. In addition to this, the firewall can be configured to block only one IP address or subnet. Napster has about fifty servers, all on the 64.124.41.x subnet. If a university wants to block access to those servers, all they have to do is configure the firewall to block outbound traffic to and inbound traffic from 64.124.41.x. The end result is that when you start Napster and it tries to communicate with the Napster servers, the firewall will say to itself the following:
Outbound request received for goa.napster.com
Is goa.napster.com a permittable destination?
No, it is not. Blocking communication.
The result of this is that your Napster client will sit there and eventually say that it can't find the server. Indeed it can't, because all data being sent by your computer is terminated by the firewall
before it reaches the outside world.
For the most part, when a firewall is in place all
data is blocked except that which has been configured to be permitted. It is poor security only to block specific things and permit everything else.
Of course, the applications of a firewall listed above aren't the only reasons one might want a firewall. Any computer behind the firewall is immediately protected from outside attack by the firewall: any attempt at hacking a computer
behind the firewall is blocked, and any attempt from behind the firewall to allow the network to be compromised is blocked (by say a Trojan Horse
such as Sub.Seven
Firewalls are very, very important to the security of networks. A firewalled server or computer is inaccessible to the outside world except as permitted by the system or network administrator, thus removing it once from the potential attacker
. In addition, they are important for the integrity and administration of a network. For more information on securing networks, read about firewalls on the Internet, try newsgroups
especially, and learn about NAT
(Network Address Translation
If you've just a simple workstation or desktop at home that you're interested in securing now that you've got your DSL
or cable modem
(or university provided Internet access), or even if you're security-conscious and on a standard modem, you might want to look into software based firewalls (much, much cheaper than hardware firewalls), such as ZoneAlarm
, BlackIce Defender
, Norton Internet Security
, or AtGuard
(now a part of Norton Internet Security). I personally recommend Norton Internet Security because of its versatility and personal experience, but if you want a free firewall, use ZoneAlarm
(though its lack of configuration options cause me to urge you not to use it).
Hope that clears things up