A firewall is a device that will block outside computers from directly connecting to machines on a private network, while still allowing these machines to connect to outside computers.

A firewall can easily be made out of an old 486 box running *BSD or GNU/Linux, a NIC or two, and maybe a dial-up modem.
Well, all these writeups with no explanation as to what a firewall really is, at least in idiotese^H^H^H^H^H^H^H^H plain English.

You may have heard of a firewall before: your local sysadmin informs you that no, you can't use Napster because your university has decided to block it with their firewall, or perhaps they inform you that your computer needs to be using a proxy server because you are behind a firewall.

So what is a firewall, what does it do, how does it work, and why do you want one?

A firewall is essentially a computer, piece of hardware, or software, which acts as a fireproof wall between one or more computers and everything and everyone else. Essentially, the firewall intercepts all inbound and outbound traffic from a network:

      |   networked   |
      |   computers   |
              | ---physical network
              |      connection to
              |         firewall
      |    firewall   |
              | ---physical connection
              |     to _everything_ else
             / \
            /   \
   ---------     ---------
  | another |   | another |
  | computer|   | computer|
   ---------     ---------

As it intercepts any information going to and from the machines behind the firewall (anything behind a firewall is a part of the internal network, anything outside the firewall falls into the category of "everything else"), the firewall decides whether or not to permit that traffic. The way a firewall does this is based upon rules, which are usually custom defined by the system administrator.

Rules can be very broad, very specific, or anywhere in between. Let's say that the system administrator has a server behind the firewall, and this server is set to accept telnet requests. The admin doesn't want just any user to be able to telnet into the machine, because that's a security risk that can allow the machine to be hacked or cracked. Instead, he only wants for persons in the remote office to be able to telnet into the system. If the sysadmin knows the IP subnet for the remote office, he can set the firewall to allow only connections from that subnet. This is an example of filtering inbound traffic. If the remote office owned an entire class C subnet (let's say 207.46.130.x), the administrator would set the firewall only to allow connections from an IP address that is -, which he would know for certain would be from the remote office.

The way the firewall would react to requests from IP addresses in the 207.46.130.x subnet would be kind of like this:

Inbound request received for my-telnet-server.everything2.com
Who is the requestor?
Requestor is
Requestor OK, permit communication

After that, the firewall would allow all telnet traffic between the two machines for that session. The catch is, firewalls permit and deny traffic based on port numbers, or services. For example, telnet is a service that runs on port 23. If aforementioned tried to connect to my-telnet-server.everything2.com on port 25 (the SMTP service), even if the currently permitted telnet session was still running, the request would be blocked by the firewall, because the firewall is only permitting communication on port 23 for the server.

Thoroughly confused yet? Good. Let's talk about outbound communication.

Computers and servers behind the firewall will on occasion initiate outbound traffic. That traffic again must pass through the firewall before it can be seen by the outside world. Since Napster is still on the tip of everyone's tongue, we'll use an example of how universities block Napster access.

The firewall can be configured (as shown earlier) to allow incoming communication from only one IP address or subnet. In addition to this, the firewall can be configured to block only one IP address or subnet. Napster has about fifty servers, all on the 64.124.41.x subnet. If a university wants to block access to those servers, all they have to do is configure the firewall to block outbound traffic to and inbound traffic from 64.124.41.x. The end result is that when you start Napster and it tries to communicate with the Napster servers, the firewall will say to itself the following:

Outbound request received for goa.napster.com
Is goa.napster.com a permittable destination?
No, it is not. Blocking communication.

The result of this is that your Napster client will sit there and eventually say that it can't find the server. Indeed it can't, because all data being sent by your computer is terminated by the firewall before it reaches the outside world.

For the most part, when a firewall is in place all data is blocked except that which has been configured to be permitted. It is poor security only to block specific things and permit everything else.

Of course, the applications of a firewall listed above aren't the only reasons one might want a firewall. Any computer behind the firewall is immediately protected from outside attack by the firewall: any attempt at hacking a computer behind the firewall is blocked, and any attempt from behind the firewall to allow the network to be compromised is blocked (by say a Trojan Horse such as Sub.Seven).

Firewalls are very, very important to the security of networks. A firewalled server or computer is inaccessible to the outside world except as permitted by the system or network administrator, thus removing it once from the potential attacker. In addition, they are important for the integrity and administration of a network. For more information on securing networks, read about firewalls on the Internet, try newsgroups especially, and learn about NAT (Network Address Translation).

If you've just a simple workstation or desktop at home that you're interested in securing now that you've got your DSL or cable modem (or university provided Internet access), or even if you're security-conscious and on a standard modem, you might want to look into software based firewalls (much, much cheaper than hardware firewalls), such as ZoneAlarm, BlackIce Defender, Norton Internet Security, or AtGuard (now a part of Norton Internet Security). I personally recommend Norton Internet Security because of its versatility and personal experience, but if you want a free firewall, use ZoneAlarm (though its lack of configuration options cause me to urge you not to use it).

Hope that clears things up.
Linux is useful for setting up firewalls because it is easy and free. However I have a few tips for anyone who is going to make one (I've set up a couple).

has great howtos, check out ipchains, ipmasq, and firewall.

check this site out, you need to read it to figure out ip port forwarding in > 2.2.X kernels.

and for VPNs, i'd recomment poptop.

I suggest using ipmasq for a couple of reasons, it provides good protection and cuts down the # of IPs you need. A also think using DMZs is a good idea if your requirements warrant one, and your resources allow one.

Good Luck if tou're trying to set one up. Make sure if you recompile the kernel, to include all the networking stuff you may ever want so you dont have to recompile again later...
In the physical world, a firewall is a wall built to prevent the spread of a fire from building to building or from one section of a building to another. To this end, a firewall is constructed of much sturdier material than the other walls, and is generally windowless and doorless and otherwise devoid of any openings through which a fire could spread. For the same reason, firewalls also typically extend all the way from ground to roof level or beyond. Firewalls are rated in terms of hours they can withstand a fire, e.g. one-hour firewall, two-hour firewall, three-hour firewall, etc., depending on the material and construction method of the wall.

The term "firewall" is also used to describe a thick metal plate, in vehicles such as automobiles and aircraft, which separates the fuel tank from the rest of the engine and/or the interior of the vehicle to prevent explosions and protect passengers from serious injury or death in the case of a fuel leak or engine fire.

Log in or register to write something here or to contact authors.