Firewalls FAQ
Frequently Asked Questions about Internet Firewalls.
This FAQ about Internet Firewalls
was compiled and written by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com
with numerous contributions by others.
01 About the FAQ (Firewalls FAQ)
02 For Whom Is the FAQ Written? (Firewalls FAQ)- Firewalls have come a long way from the days when this FAQ started....
03 Before Sending Mail (Firewalls FAQ)- Note that this collection of frequently-asked questions is a result ...
04 Where Can I find the Current Version of the FAQ? (Firewalls FAQ)- The FAQ can be found on the Web ...
05 Where Can I Find Non-English Versions of the FAQ? (Firewalls FAQ)- Several translations are available. (If you've done a translation and it'...
06 Contributors (Firewalls FAQ)- Many people have written helpful suggestions and thoughtful commentary....
07 Copyright and Usage (Firewalls FAQ)- Copyright ©1995-1996, 1998 Marcus J. Ranum. Copyright ©1998-2000 ...
08 What is a network firewall?- A firewall is a system or group of systems that enforces an access ...
09 Why would I want a firewall?- The Internet, like any other society, is plagued with the kind of ...
10 What can a firewall protect against?- Some firewalls permit only email traffic through them, thereby ...
11 What can't a firewall protect against?- Firewalls can't protect against attacks that don't go through ...
12 What about viruses? (Firewalls)- Firewalls can't protect very well against things like viruses. There ...
13 Will IPSEC make firewalls obsolete?- Some have argued that this is the case. Before pronouncing such a ...
14 What are good sources of print information on firewalls?
15 Where can I get more information on firewalls on the Internet?
16 What are some of the basic design decisions in a firewall?- There are a number of basic design issues that should be addressed by ...
17 What are the basic types of firewalls?- Conceptually, there are two types of firewalls:...
18 Network layer firewalls- These generally make their decisions based on the source, ...
19 Application layer firewalls- These generally are hosts running proxy servers, which permit no ...
20 What are proxy servers and how do they work?- A proxy server (sometimes referred to as an application gateway ...
21 What are some cheap packet screening tools?- The Texas AMU security tools include software for implementing ...
22 What are some reasonable filtering rules for a kernel-based packet screen?- This example is written specifically for ipfwadm on Linux, but ...
23 Implementation (filtering rules for a kernel-based packet screen)- Here, our organization is using a private (RFC 1918) Class C ...
24 Explanation (filtering rules for a kernel-based packet screen)- * Line one flushes (-f) all forwarding (-F) rules....
25 What are some reasonable filtering rules for a Cisco?- The example in figure 4 shows one possible configuration for using ...
26 Implementation (filtering rules for a Cisco)- * Allow all outgoing TCP-...
27 Explanations (filtering rules for a Cisco)- * Drop all source-routed packets. Source routing can be used for ...
28 Shortcomings (filtering rules for a Cisco)- * You cannot enforce strong access policies with router access lists....
29 What are the critical resources in a firewall?- It's important to understand the critical resources of your ...
30 What is a DMZ, and why do I want one?- ``DMZ'' is an abbreviation for ``demilitarized zone''. In the context ...
31 How might I increase the security and scalability of my DMZ?- A common approach for an attacker is to break into a host that'...
32 What is a `single point of failure', and how do I avoid having one?- An architecture whose security hinges upon one mechanism has a ...
33 How can I block all of the bad stuff? (Firewalls)- For firewalls where the emphasis is on security instead of connectivity,...
34 How can I restrict web access so users can't view sites unrelated to work?- A few years ago, someone got the idea that it's a good idea to ...
35 What is source routed traffic and why is it a threat? (Various Attacks - Firewalls)- Normally, the route a packet takes from its source to its destination ...
36 What are ICMP redirects and redirect bombs? (Various Attacks - Firewalls)- An ICMP Redirect tells the recipient system to over-ride something in ...
37 What about denial of service? (Various Attacks - Firewalls)- Denial of service is when someone decides to make your network or ...
38 SMTP Server Hijacking (Unauthorized Relaying) (Common Attacks - Firewalls)- Each site is a little different from every other in terms of what ...
39 Exploiting Bugs in Applications (Common Attacks - Firewalls)- Various versions of web servers, mail servers, and other Internet ...
40 Bugs in Operating Systems (Common Attacks - Firewalls)- Again, these are typically initiated by users remotely. Operating ...
41 Do I really want to allow everything that my users ask for? (Firewalls)- It's entirely possible that the answer is ``no''. Each site has its ...
42 How do I make Web/HTTP work through my firewall?- There are three ways to do it....
43 How do I make SSL work through the firewall?- SSL is a protocol that allows secure connections across the Internet....
44 How do I make DNS work with a firewall?- Some organizations want to hide DNS names from the outside. Many ...
45 How do I make FTP work through my firewall?- Generally, making FTP work through the firewall is done either using ...
46 How do I make Telnet work through my firewall?- Telnet is generally supported either by using an application proxy such ...
47 How do I make Finger and whois work through my firewall?- Many firewall admins permit connections to the finger port from ...
48 How do I make gopher, archie, and other services work through my firewall?- The majority of firewall administrators choose to support gopher ...
49 What are the issues about X11 through a firewall?- The X Windows System is a very useful system, but unfortunately has ...
50 How do I make RealAudio work through my firewall?- RealNetworks maintains some information about how to get ...
51 How do I make my web server act as a front-end for a database thatlives on my private network?- The best way to do this is to allow very limited connectivity between ...
52 But my database has an integrated web server, and I want to use that. Can't I just poke a hole in the firewall and tunnel that port?- If your site firewall policy is sufficiently lax that you're willing ...
53 How Do I Make IP Multicast Work With My Firewall?- IP multicast is a means of getting IP traffic from one host to a set ...
54 Glossary of Firewall-Related Terms
55 TCP and UDP Ports
56 How do I know which application uses what port? (Firewalls - TCP and UDP Ports)- There are several lists outlining the ``reserved'' and ``well known''...
57 What are LISTENING ports? (Firewalls - TCP and UDP Ports)- Suppose you did ``netstat -a'' on your machine and ports 1025 and ...
58 How do I determine what service the port is for? (Firewalls - TCP and UDP Ports)
59 What ports are safe to pass through a firewall? (Firewalls - TCP and UDP Ports)- ALL.
60 The behavior of FTP (Firewalls - TCP and UDP Ports)- Or, ``Why do I have to open all ports above 1024 to my FTP server?''...
61 What software uses what FTP mode? (Firewalls - TCP and UDP Ports)- It is up to the client to decide what mode to use; the default mode when ...
62 Is my firewall trying to connect outside? (Firewalls - TCP and UDP Ports)- My firewall logs are telling me that my web server is trying to ...
63 The anatomy of a TCP connection (Firewalls - TCP and UDP Ports)- TCP is equipped with 6 ``flags'', which may be ON or OFF. These flags are:...