Posted by Dave
5 Star Support Security Specialist
Provided by Dshield.org, a Creative Commons Attribution
This introduction is intended to provide a basic understanding of how
the Internet works and how this applies to firewalls. Thick books have
been written about this, and you are encouraged to read one of them if
you would like to know more. This page will just provide a brief
definition of many of the terms used.
DNS / Domain Name / Host Name
IP (Internet Protocol)
TCP (Transmission Control Protocol)
(User Datagram Protocol)
ICMP (Internet Control Message
Each device (computer, cell phone, coffee maker) connected to the
Internet requires an 'IP Address'. An IP address is a four byte long
number. It is usually written by separating the 4 bytes with a '.'. For
example, 18.104.22.168 is the IP address of the dshield web server. Each
one of these numbers has to fall in the range from 0-255.
DNS / Domain name / Host Name:
As humans have a hard time remembering numbers, an automated directory
assistance was introduced which translates easier to remember names
(domain names or host names) into IP addresses. This lookup is performed
transparent to the user. If you enter 'www.dshield.org' in your web
browser, your Internet software will ask a domain name server (DNS) for
the IP address associated with this host name. The domain name server
will respond with '22.214.171.124'. As a result, your computer will
contact '126.96.36.199' and ask it for the dshield.org home page.
This site uses the term 'port' a lot. In order for a computer to connect
to multiple Internet services at the same time, the concept of 'port'
was introduced. Each computer has 65536 ports available. If your web
browser initiates a connection to dshield.org for example, it will pick
the first available port ( say 12345) and use it to send the connection
request to dshield.org . DShield.org's web server will reply to port
12345 on your PC. This way, your PC knows that this reply is in response
to the request sent to dshield.org earlier.
The first 1024 ports are set aside for 'privileged use'. Usually, only
servers that wait for incoming connections use these ports.
IP (Internet Protocol):
There are a number of different protocols which are used to send data
across the Internet. Some will be discussed below. However, all of them
are based on the 'Internet Protocol'. The Internet Protocol is the basic
language that makes the Internet work.
One of the features that made the Internet Protocol such a big success
is its simplicity.
The Internet Protocol requires all data to be split into packets. A
packet is any kind of data, which is preceded by a header. The header
contains the source and destination of the packet, as well as a number
of options, checksum and the length of the packet.
Routers, which will pass the packet from its source to the destination,
will leave the content of the packet untouched and just look at the
header to identify where to send the packet next.
TCP (Transmission Control Protocol):
TCP is one of the two most popular protocols used on the Internet. It
provides a connection between client and server and each site
acknowledges the receipt of data. TCP is the basis of popular Internet
applications like HTTP (Web Browsing), FTP (File Transfer) and e-mail.
Unlike TCP, UDP is not build on the idea of a 'connection'. Instead, one
system will just send data blindly and it will not require any
acknowledgement that the data has been received. This can be useful to
stream data at high speed, like for streaming audio, where re-sending a
missing packet would not be feasible.
ICMP (Internet Control Message Protocol):
ICMP is mostly used for diagnostics. 'ping' a small application included
in most (all?) operating systems, uses this protocol. ICMP is used to
send small messages indicating the status of a host or connection. It
can also be used to request such a status message.
Typical messages are:
'ECHO': This message requests the packet to be returned to the sender to
confirm the connection.
'NO ROUTE TO HOST': This message is sent by a router to the sender of a
packet to indicate that there is no route available to deliver the
packet to the intended receiver. Most likely a network link is
disconnected or the destination address does not exist.
'TIME TO LIVE EXCEEDED': The header of each IP packet indicates the
maximum number of routers through which a packet is allowed to travel.
This number is referred to as Time To Live (TTL). A special field in the
IP header is decremented whenever a router touches a packet. A router
will return a packet if this number reaches zero. This message usually
indicates a 'routing loop', where the packet is sent in circles between
a number of routers.
Like a firewall between two buildings is intended to protect one house
from a potential fire in a neighbor's house, Internet firewall software
or hardware is intended to protect a personal computer or private
network from the ever raging fire on the Internet.
To do so, a firewall will inspect packets sent to and received from the
Internet. Based on rules defined by its administrator or manufacturer,
the firewall will allow certain data to pass while it will block other
Many firewalls will track rejected packets in a log. The administrator
is encouraged to regularly inspect these logs. Dshield.org collects such
logs to allow firewall administrators to compare notes and improve
firewall rule building.
Firewall implementations vary widely. In its most basic version, they
will inspect headers and try to determine if source and destination are
defined as 'allowed', or if the packet is a response to a request sent
earlier. More sophisticated firewalls will inspect the content of the
packet as well, and alert the user if the content matches data defined
However, most firewalls have a common feature and weakness: They prevent
connection attempts initiated from the 'outside', while they are very
permissive in allowing requests to be sent from the inside. Firewalls do
not replace virus scanners and safe computing practices.