At some point in your life, you will find yourself having to work with a firewall in order to protect yourself from hazards on the internet.  In order to make the best use of your firewall, you need to know several simple things when configuring it.  In this tutorial I will walk you through the basics of firewall configurations, and everything you will need to know to get started.   Since different firewalls do their configurations in different ways, but keep to the same principles, I will be focusing mainly on the principles that go into those configurations.  Once you understand these, the rest will be easy, regardless of what firewall software you end up working with.

Firewalls divide their traffic into five basic groups of data.  They are: TCP, UDP, ICMP, ARP, and RARP.  TCP is short for Transfer Control Protocol and is the default way most data is sent across the internet.  It accounts for close to 80% of all traffic on the net today.  It is the first half of the TCP/IP system you hear about so often.  UDP is short for User Datagram Protocol.  It is very similar to TCP in every way except that it's connectionless.  To simplify this a bit, TCP requires a connection with error checking to be established between host and server, or two hosts, before any data can be transferred.

This is because if data is sent via TCP and there is an error in the packet being sent, the receiving machine can request that the packet be reset, at which point it will be until it is received successfully on the other side.  UDP on the other hand, being connectionless, can be thought of as a point, shoot and pray data packet.  The server or host sends the packet, and then the other side essentially prays that it arrives on time and intact.  These are used a lot in games and non-critical communications.   The advantages of UDP over TCP in such an environment, especially when dealing with statistics, is that UDP generates less traffic when there's congestion or a bad connection, since packets don't have to be repeatedly sent over and over again, and is less likely to slow up a fast paced game or interrupt a streaming broadcast.

The third kind of data packet, known as ICMP, is well known for its roll in hostile internet activities such as DDos attacks.  But ICMP has other, better purposes.   ICMP stands for Internet Control Message Protocol.  This is a protocol that is used quite often for error reporting, or testing of remote connections.  It is also a connectionless protocol just like UDP.  So once sent, unless received on the other end, it is lost forever.  But where ICMP differs from UDP is that ICMP carries no user data.  It only carries diagnostic information that is meant for either host or server.

The fourth kind of data type is called ARP.  It's short for Address Resolution Protocol.  Arp is used on the local network level to determine a machine's MacID when only the IP address is known.  Since local networks typically work via hardware addresses rather than actual IP addresses, this is an important protocol.  RARP is similar to ARP, except that it is used to determine the machine's IP address when only the MacID is available.

All of these protocols will be important items you will need to know in order to properly configure and secure your firewall.  Now there are several things when configuring a rule for each type of protocol you will work with.  To start, let's look at TCP.  The first thing you'll want to look at when configuring a rule is, in which direction does this rule apply.  Now that may not seem to make sense, but think of your network as a two way street.  You have incoming traffic, and you have outgoing traffic.  Incoming is anything that comes from outside of your machine in, and of course outgoing is anything you send out from your machine to the rest of the world, or the local network.  Knowing whether a rule needs to apply to inbound, outbound, or both kinds of traffic is important.  If you get it wrong, you don't surf.

The next thing to consider is the local and remote IP address and port, or their respective ranges.  If configuring a personal firewall, such as one on your local machine, the IP address of your machine can always be assumed to be the local address for your firewall rules.  If this firewall is a stand alone machine tasked with protecting data in and out of the firewall, then a range of addresses may be more applicable.  The next thing to consider is the port.  Just because you allow a particular IP address to connect to your machine does not mean you have to allow it to connect on any port it so chooses.

For example, if you had a machine setup as an FTP server, you may wish to allow all internet addresses, or only a few of your choosing, to connect only to port 21, and no other port.  A simple way to configure this would be to setup your server's IP as the local IP address, and 21 as the port address.  Then setup the remote address to be all addresses, or just a select few you want, and the port to be all.  This will allow machines of your choosing, or the entire internet, to connect to your server on port 21 for FTP.

Now, say you have something such as Yahoo Messenger that you want to use, but your firewall is blocking all access on the port it needs to connect to in order to login to the Yahoo network.  You would need to setup your local address and port to be your IP address and whatever port, if any, that Yahoo would ask you to use.  The remote port and IP would also be whatever Yahoo asks you to use.  Say something like login.yahoo.com on port 2345 or something.  Now be aware, you don't want to willy nilly allow just any program access to the net.  Be sure you know what you're allowing before adding a rule.  There are some programs you'll use that you DON'T want to connect to the internet and "phone home" if you will.

Now, the next part you'll want to consider is two fold.  The first is how the firewall handles fragments and connections.  You will need to specify whether to block incoming data fragments (I always recommend doing this to avoid hacking attempts) and incoming connections.  Generally the rule is, unless you're running a service that needs to allow cold connections (remember my open, closed, and locked gates example from my Understanding Firewalls tutorial), then blocking incoming connections is always best.  Even if you don't have a service listening on a given open port, nothing says that a hacker can't find some way to use that port against you anyways.

Another thing to consider is when a rule applies.  You can actually setup your firewall rules to allow a rule to only apply during certain times of the day.  Say for example that you work in an office where IM usage is rampant.  If the boss says no IM's, he could have a systems administrator add a rule to the firewall that says, from 9am - 5pm, do not allow connections in or out on such and such a port.  If it's outside these hours, then you're free to use IM all you want.  How that's handled on your given firewall of choice though varies, and with some it's as simple as clicking a button, and with others it's a bit more convoluted.  But in the end the result is the same.

Now, overall that's the basics of filtering TCP packets.  The rules are almost identical with UDP, except that since it's connectionless, you can't block incoming connections, because there are no connections.  

Next up is ICPM.  When dealing with this, the rules change a bit.  Since ICMP only uses one port, the only configurable item for local and remote host is the IP address.  In place of configuring a port, you now have an interesting new feature called a type.  This is, in short, the answer or message an ICMP packet will send when it leaves its source and heads off to its destination.  There are 40 known responses that an ICMP packet can take.  Interestingly enough, about half of the 40 are unassigned response numbers open for later uses if the need arose.

One of the interesting things about configuring your router to send a specific type of message or reply is that you can fool a remote host into believing that your machine is something other than what it is.  By default, ping tends to reply with a simple echo or traceroute reply.  However, you can tell the firewall to reply with destination unreachable, packet lost and more.  It's good for driving away people you don't want nosing around your firewall.

Now when you get into ARP and RARP, things get a whole lot easier.  The only things you're responsible for when configuring rules for these is the local and remote addresses, and the times in which the rules apply.  That's it.  Typically though, on most firewalls, it's a good idea to allow ARP, but block RARP.  Now you can also allow RARP as well, but it's really not all that commonly used or necessary.

I hope that in this short tutorial I've "demystified" firewall rules.   Really, they're very simple to understand once you see the very elementary logic behind them.  All you have to do is remember these few simple guidelines, learn how your respective firewall does it's configurations (config file, command line, gui, etc) and put your new found knowledge to quick work.

Discuss this!  ( 1 comments )

Raiden's Realm Social Bookmarking If you have any problems with any of these links, please let us know.  Thanks. Please Rate this Article! 5 - Best! 4 - Good 3 - Average 2 - Fair 1 - Poor Average vistor rating: 4.5 out of 5 (8 total votes)

Latest Articles

1.	Guide to Getting a Really Slick Ubuntu Desktop
2.	Review: HP Pavilion DV6 Entertainment Laptop
3.	Review: Dell Adamo 13
4.	The Truth about SSDs and what to look out for
5.	Lubuntu 10.04 Review
More

Upcoming Shows and Cons

1.	Ohio Linux Fest 2010
2.	Atlanta Linux Fest 2010
3.	ESC Boston 2010
4.	Linux-Kongress 2010
5.	LInux Konferenca 2010
More

Announcements

There are no current announcements.

Latest Releases
(courtesy of Distrowatch)

1.	Clonezilla 1.2.6-20 Released: 09/08
2.	Lubuntu 10.10-beta1 Released: 09/08
3.	MoLinux 6.0 (Netbook)... Released: 09/08
4.	Salix 13.1.1 (LXDE) Released: 09/08
5.	UHU-Linux 2.2 Released: 09/07
6.	Super OS 10.04 Released: 09/07