Firewalls – how do they work?

(probably) Everyone knows that firewalls are a “good thing” to have, but how many people actually know how they work?

Firewalls can have many features that I won’t go into here, but the basic way they work is that there’s a set of rules that someone sets up (or is given) and the firewall follows those rules. How it does this makes us remember our TCP/IP and UDP connection details.

A connection consists of two port/IP pairs – one for the source and one for the destination. A firewall looks at that information (among others) to determine if that packet is “OK” or not. If the packet is OK – based on the rules it’s been given, the “connection” is assigned an ID and the information added to a cache table. The cache table isn’t necessary, but it helps figure things out like “related” connections. It also helps with translation between IP addresses and ports if any NATting or DMZ ability is going on.

In addition to port/IP rules, a firewall can look at any field in the IP packet (and some look at anything in the layer 3 packet as well – including MAC addresses). So, a firewall can filter based on the type of packet it is (for example, not allowing ICMP packets – i.e. ping), what options are being used (like TCP flags), as well as content of the packet – although this is less common.

Firewalls can also alter any field in the IP packet, for example to support quality of service based on the port, or to change the IP address to support NAT.

What about this big cache table thing? Can it be “filled” like we can with ARP packets? Yes, it can, but as the cache is not *necessary* to the fundamental operations of the firewall, most will just not add things to the cache when new connections come in. It’ll imperceptibly slow things down since it has to run through the rules every time, but the firewall will still do its job.