Firewalls are a special way of security, offering a specific way to protect one’s system and
are not configured that easily, if they are “rule-based”. Because a bad configured firewall
would just create a fals feeling of security, what follows is an explanation to what a firewall
actually does, providing a simplified explanation about TCP/IP and Networking.


A firewall takes care of filtration from data, accepting or denying request to communicate
with several applications and machines, keeping a log file and alarming if something in
this traject seems to be wrong.


here follows a simplified explanation of TCP/IP. It wil help you to understand the following
terms, and thus will help you to configure a rule-based firewall correctly.


Internet, Computer System, TCP/IP, ARP, Port, Connection, Firewall


These terms can be easily understood by analogy. If you are familiar with telephone
systems,  think of the Internet as compared t the world-wide telephone network. Here are
the analogiesfor the other terms:


computer system
a hotel with phones for staff and guests
a person-to-person call
voice mail (leaving a message)
a telephone extension number
the telephone number of the hotel
a telephone call
the hotel telephone operator
finding a street address


The hotel telephone system is analogous because the pc plays host to the applications
you run. Setting up a firewall will be like telling the hotel operator how s/he is allowed to
let calls and messages get through. You, the computer user, are both “hotel manager”
and “VIP Guest”.


concept  1:
applications and services
hotels have guests and hire staff that
serve guests.
firewall: computers have applications (e.g)
email, web browsers) and use operating
services (e.g. DNS, RIP, Identification) to
support these applications.
concept  2:
a person in the hotel wants to phone out.
He is calling frome a phone with an
extension number to another person in a
different hotel, also with a phone and
extension number
firewall: an application or service in your pc
wants to communicate with another
application or service on another system.
With TCP/IP and UDP/IP, communication
uses IP addresses of the computers and
port numbers.
concept  3:
without a firewall
without an operator, anyone may call in or
out. There may be nobody at that
extension. Alternately, the person may or
may not answere their phone.
firewall: without a firewall, communications
are freely attempted, in or out. Not all ports
have services using them. Alternately, an
application/service may or may not accept
a connection attempt.
concept  4:
role of a firewall
when the operator is working s/he decides
which extensions may make calls and
which other hotel and extension they may
firewall: when the firewall is running, it
decides what systems may communicate
and what port numbers may be used.
concept  5:
blocking incoming TCP/IP connections
an operator can block an incoming
telephone call to a person while allowing
that person to make outgoing calls.
firewall: a firewall can block incoming
connection attempts on any particular
TCP/IP ort while allowing the same port to
be used for outgoing connections.
concept  6:
this firewall is a “packet filter”
the operator can block a call, but does not
censor what is said. A security chaperonne
might help.
firewall: a (packet filter) firewall can block
communication but does not inspect the
contents of the data packets. Anti-virus
software might help.
concept  7:
TCP/IP compared to UDP/IP
some people always make “person-to-
person” calls and others leave a message.
When you leave a message you are never
quite sure that the other person got it.
firewall: applications either use TCP/IP to
make a connection or they use UDP/IP to
send a single “datagram”. With UDP/IP,
you are never quite sure the other
application got it.
concept  8:
blocking UDP/IP data
if the operator is instructed to allow a guest
to leave messages for another person in
another hotel, then s/he will also allow that
other person to leave a message for the
firewall: if the firewall has a rule to allow
applications/services to send UDP/IP to
another system(s) on certain ports, that
other system(s) may send to you using
the same ports. The reason is that it’s not
clear when the system is replying to you
and when it’s taking the initiative.
concept  9:
how ports are used
the white courtesy phone in the lobby is
available for all guests to make outgoing
calls. Typically, hotel staff can be reached
at extensions 1 to 1023. Courtesy phones
have extensions 1024 to 5000. This way,
guests don’t tie up extensions assigned to
hotel services (room, service, front desk).
firewall: a range of (local) ports is available
for applications that communicate with
services on other systems. Typically,
services are available on ports 1 to 1023.
Ports for temporary use range from 1024
to 5000. This way, applications/services
don’t tie up a port assigned to your systems services (file shares, identification
concept 10:
how ports are used (2)
a convention in the hotel bussiness is that
the lounge is at ext. 80, the concierge is at
ext. 53, a bellman is at ext. 23 etc. This
way, guests know how to reach staff in other hotels. Guests are kindly requested not to use the staff’s extensions for personal calls.
firewall: a convention in the TCP/IP and UDP/IP protocols in that particular services are available at particular ports, e.g. web servers are at port 80, DNS at 53, telnet at 23, etc. This way, your applications know how to reach services on other systems. Applications should not use these extensions inappropriately.
concept 11:
rule usage
this hotel has an operator that can be instructed to allow certain calls through under certain circumstances, such as 1) only when a certain guest is in the hotel 2) when cell phones are in use 3) when a call is going through the hotel’s secure phone lines etc.
firewall: with a firewall you can make a rule that allows certain communications only under certain circumstances, such as 1) when a certain application is running 2) when dail-up connection is alive.
concept 12:
priority of rules
some instructions for the operator are more important than others. By assigning a priority to each one, one controls the order in which the operator reads and applies instructions.
firewall: some rules take precendence over others. By setting the priority you can control the order in which rules are used and applied.


IRC and chat nuking
People who use chat groups (IRC, ICQ) tend to invite harassing interference from other malicious chatters. These lamers send “ICMP nukes” and other datagrams to tell your system that it can no longer reach the chat server. A firewall can block this.
eaves dropping
Even though your system is communicating with another computer, it is travelling on a shared network so other computers can acces the information that is send.
Computers can alter their IP addresses and pretend to be another trusted system and fool the firewall. It is up to applications to authenticate the remote system, use a secure connection.
TCP connection hijacking
It’s possible for a hacker to intercept a TCP connection you have, tell the other system the connection is closed, then pretend to be them. Without a secure connection made through a firewall your system would never know.
DNS spoofing
If a hacker can interfere with DNS (Domain Name Service), they can supply you with an incorrect IP address and make your system talk to the wrong computers.
altering of data
If a hacker can intercept your communication, they can alter data. A secure connection provided by a firewall solves this problem.


So much for analogy. Note that a firewall isn’t build for infection discovery and cleaning. If
your pc would be infected, a firewall won’t clean it for you; it would only make access to
the trojan horse (server) etc. impossible. To prevent infections, follow the guidelines as
provided in security, and install the appropriate security software as described in other
pages from this website.


We recommend having a look at the – constantly updated – overview from the Top Ten
Attacked Ports provided by the SANS Institute. Just click the “SANS” logo at the
left bottom.