Previous chapter (none)
 
Index
Configuring kernel options and installing packages
Next chapter

Introduction

What is a firewall?

In the most simple terms a firewall is a piece of software which regulates the flow of data from one part of a network to another.

Depending on the type of firewall implementation this regulation may take place at different levels. Some firewalls work only at the lowest level, allowing network packets to pass or not based on very simple rules. Other firewalls operate at much higher levels and ensure that only certain applications are allowed to communicate.

Why do I need a firewall?

Whenever you connect a computer to a network you are exposing it to potential attack from other systems on that network. Whenever you connect two networks together you are exposing all the systems on one network to potential attack from all the systems on the other network. Whenever you connect a network to the Internet you are exposing every system on that network to potential attack from every other system on every other network which is connected to the Internet!

Types of firewall

The term firewall is often used, and in my opinion misused, to describe a variety of different network security devices. These devices are usually classified according to which layer of the OSI model they operate at.

Information:
As usual when discussing the OSI model the boundaries between layers are somewhat blurred and functionality from one layer is often combined with that of another in reality.
 

Network Layer

Firewalls which operate at this layer of the model are more correctly referred to as packet filters. That is to say that they only filter packets based on their IP headers.

They do not maintain any information about protocol state as they are not even aware of different protocols. For this reason they can be extremely fast and can be implemented with very limited resources. This same design decision also limits their flexibility and power.

Network layer firewalls are almost always extended with functionality giving them a limited awareness of the most common transport layer protocols such as TCP and UDP. This allows them to filter based on source and destination port making them much more useful without adding much overhead.

Transport Layer

Firewalls which operate at the transport layer understand not just IP packets but the transport protocols built upon them. They can monitor the state of connection based protocols such as TCP, as well as connectionless protocols such as UDP, and make decisions based upon that state. For this reason they are sometimes referred to as stateful firewalls.

Being able to make decisions based on state allows for the application of much more powerful security policies. You could, for example, only allow incoming UDP packets from hosts which had recently had packets sent to them on that same port.

Maintaining a record of the state of all the recently observed activity obviously requires far more resources than simple packet filters. For this reason full implementations of transport layer firewalls are rarely included in embedded devices.

Transport layer firewalls can also often be used to perform other functions not purely related to network security such as Network Address Translation.

Application Layer

Application layer firewalls understand the actual communications protocols used to exchange data, such as FTP. This enables them to be even more powerful than their transport layer counterparts.

By maintaining a record of the application layer state as well as the network layer state such a firewall can correctly handle multi-stream protocols, such as FTP, by opening, and forwarding if also performing NAT, ports as appropriate.

Information:
This class of firewall also includes proxy servers although these usually deconstruct the query portion of a request and re-issue it, then do the same for the response.
 

This level of interaction with the data stream clearly requires a great deal more resources than either the network layer or transport layer firewalls. For this reason it is unusual to find application layer firewalls built using anything other than full-blown computers. This may well change in the near future however as current implementations are coming ever closer to being practical in embedded systems.

What is iptables?

Whilst it is common to hear iptables referred to as a firewall it is actually just a user space tool for manipulating the packet filtering and NAT components of the Linux kernel. These components are correctly referred to as Netfilter although there are, rather confusingly, some iptables modules for the Netfilter kernel subsystem.

The combined system of iptables, the Netfilter subsystem and the iptables modules are capable of building firewalls of any of the classes described above as well as delivering functionality which does not technically fall within the remit of a firewall. The packet mangling features, for example, can be used to provide NAT as well as a whole host of other functions such as QoS which are only usually provided by expensive routers.