What Is a Firewall – Answered

What Is a Firewall

What Is a Firewall?

What is a firewall? A firewall is basically any component (software or hardware) that restricts the flow of network traffic. This is a sufficiently broad definition to allow for all of the various ways people have chosen to implement firewalls. Some firewalls are notoriously limited in capability and others are extremely easy to use. The question of “what is a firewall” has evolved over time as the capabilities of firewalls have increased.

Within the realm of firewalls there are many different ways to restrict network traffic. Most of these methods vary in the level of intelligence that is applied to the decision-making process. For example, to permit or deny traffic based on which network device is the sender or recipient, you would use a packet-filtering firewall. In reality, even the simplest packet-filtering firewalls can typically make decisions based on the source Internet Protocol (IP) address, the destination IP address, and the source and/or destination port number. While this type of firewall may sound overly simplistic, consider the case where you have a server running a web site for use on the Internet. In all likelihood, the only traffic that you need to allow to the server uses a destination port of TCP (Transmission Control Protcol) 80 or 443. As a result, you could configure your firewall to permit only that traffic. Because the server is available for the Internet, you can’t filter traffic based on the source address or source port, which will be different for each connection.


The primary drawback with a simple packet filter is that the packet filtering firewall has to rely on very primitive means to determine when traffic should be allowed (e.g. synchronous [SYN] or acknowledgement [ACK] bits being set). While this was adequate in the early data of the Internet when security was not as big of a concern, it won’t work anymore. It is trivial to set the bits on the packet using freely available software to make the traffic look like it is a reply to another connection.

What Is a Firewall: Stateful Firewalls (Second Generation)

Thus the stateful inspection firewall was born of necessity. Developed initially at AT&T Bell Laboratories in 1989-90, this type of firewall performs the work of their first-generation predecessors but operates up to layer 4 (transport layer) of the OSI model. It monitors all connections (inbound or outbound), and as the connection is permitted (based on the firewall’s rules), it enters the connection into a table. When the reply to this connection comes back, even if the reply uses a port that the firewall was not previously configured to permit, it can intelligently realize the traffic is a response to a permitted session and permit the traffic.

Unfortunately, even as the firewalls get better, so do the methods hackers use to circumvent them. Suppose you have configured your firewall perfectly and there are no holes: every permitted port is one you expressly want to allow. Using the previous example, no traffic is allowed to the web server except web traffic. This sounds like a solid policy, but the problem is even if the firewall is completely secure, the server might not be. Flaws in the web server software could allow the attacker to send the server an HTTP request that is 10,000 characters long, overflowing the buffers and allowing the attacker to execute the code of his choice. The packets used to transport the 10,000-character HTTP request are all legal TCP packets as far as the firewall is concerned: therefore, it would permit them to pass through to the web server. The next step in firewall evolution serves to combat this type of attack: application gateways, or layer 7 firewalls. The first transparent application level firewall was Gauntlet, an outgrowth of Toolkit, developed by Marcus Ranum, Wei Xu, and Peter Churchyard.

What Is a Firewall: Application Layer Firewalls (Third Generation)

This type of firewall not only filters network traffic based on the standard network parameters, but they also understand the higher layer protocol information contained within the packet. In this example, the firewall would be looking for HTTP requests. The firewall knows what a legitimate HTTP request looks like and can out a malformed or malicious request even though, from a network perspective, it might otherwise be a permitted packet. There is a down side to this type of approach: the firewall must be programmed with all the same intelligence needed to filter normal traffic, plus the firewall must fully understand the protocols it is inspecting. This means additional programming for any protocol you want the firewall to understand. Most of the major commercial application gateways offer support for the major protocols such as HTTP, File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP).

Generally speaking, you can find many free varieties of firewalls that perform some type of stateful inspection. Application layer gateways are not really available for free. In reality, few organizations have the funds to use application gateways extensively. One ramification of not using an application gateway is that you need to ensure that the service that is exposed to untrusted traffic is configured as securely as possible and that the server itself is hardened against attack. Keeping the service patches up-to-date will help reduce the odds that an application-level attack will be successful.


External Links for “What Is a Firewall – Answered”:

Firewall (computing) at Wikipedia

What Is a Firewall at Indiana University Information Technology Services Knowledge Base

What Is a Firewall at searchsecurity.techtarget.com

What Is a Firewall? at Netgear Support

Packet Filter: The Engine of pfSense

Packet FilterpfSense is, as most users know, a specialized version of FreeBSD. It can be configured an upgraded through a web-based interface and often runs on embedded systems; it requires no knowledge of the underlying FreeBSD system. Those curious enough to find out, however, will be interested to know that pfSense is based on OpenBSD’s powerful pf (Packet Filter) software, which was released in late 2001 and has since been ported to many other operating systems including FreeBSD, NetBSD, DragonFly BSD, Debian GNU/Free BSD, and Mac OS X 10.7 “Lion” and later.

OpenBSD and the other BSD variants are direct descendants of BSD Unix. BSD, sometimes called Berkeley Unix, is a Unix operating system derivative developed and distributed by the Computer Systems Research Group (CSRG) of the University of California, Berkeley, from 1977 to 1995. The final release from Berkely was 1995’s 4.4BSD-Lite Release 2, after which the CSRG was dissolved and development of BSD at Berkeley ceased. In the meantime, as CSRG was winding down, small groups of enthusiasts around the world began working on further development of the code. Several different variants of BSD Unix came into existence. The OpenBSD group became known as the most security-oriented of the BSDs. For its packet filtering needs, it used a program called IPFilter, written by Darren Reed.


The packet filter’s main function is to filter network packets by matching the properties of individual packets and the network connections build from those packets agains the filtering criteria defined in its configuration files. The packet filter is responsible for deciding what to do with those packets, which could mean passing them through or rejecting them, or triggering events that other parts of the operating system or external applications are set up to handle.

The IPFilter subsystem performed this function within OpenBSD, but in May 2001, IPFilter was removed from the OpenBSD source tree due to licensing issues. The OpenBSD version of IPFilter contained several changes and customizations that, as it turned out, were not allowed under the licensing agreement. For a few weeks, the development version of OpenBSD did not include any firewalling software.


Enter Packet Filter

However, Daniel Hartmeier had already begun work on his own packet filtering software, called PF, and after a few months of development, it was ready to be added to OpenBSD. PF was added as a default part of the OpenBSD 3.0 base system in December 2001. Migrating from IPFilter to PF sense did not pose major problems, as their configuration languages were similar. Moreover, PF has done well in performance tests, performing equally well or better under stress on OpenBSD 3.1 than either IPFilter on OpenBSD 3.1 (or iptables on Linux). PF’s overhead is relatively low, and is capable of running effectively on rather modest hardware.

Future installments of this series of articles will go into greater depth on how to configure and run PF. For now, it should be mentioned that in order to run PF, you need to install and run a BSD system such as OpenBSD, FreeBSD, NetBSD, or DragonFly BSD. OpenBSD is the BSD variant of choice for many, as this is where PF was first introduced and where essentially all PF development happens. Moreover, the newest and most-up-to-date PF code is always to be found on OpenBSD. If you are planning to run PF on FreeBSD, NetBSD, DragonFly BSD, or another system, you should check your system’s release notes and other documentation about which version of PF is included.

External Links:

PF documentation in the OpenBSD FAQ

© 2013 David Zientara. All rights reserved. Privacy Policy