In computer networking, a firewall is designed to control or filter which communications/traffic are allowed in and which are allowed out of a device or network.
A firewall can be installed on a single computer with the purpose of protecting that one computer (host-based firewall) or it can be a standalone network device that protects an entire network of computers and all of the host devices on that network (network-based firewall).
- A hardware firewall inspects each data packet before it’s allowed to enter the network.
- A software firewall performs the same functions as a hardware firewall, but it’s not a physical device. Instead, it’s a software program installed on a computer or on a server. If the software firewall is installed on a computer, it will analyze all the traffic received by that computer. If the software firewall is installed on a server, it will protect all the devices connected to the server.
- Cloud service providers offer firewalls as a service, or FaaS, for organizations. Cloud-based firewalls are software firewalls hosted by a cloud service provider.
Port filtering: A firewall function that blocks or allows certain port numbers to limit unwanted communication
Types of firewall#
As computer and network attacks have become more sophisticated, new types of firewalls have been developed, which serve different purposes.
Stateless Firewall#
This type of firewall operates on layer 3 and layer 4 of the OSI model and works solely by filtering the data based on predetermined rules without taking note of the state of the previous connections. This means it will match every packet with the rules regardless of whether it is part of a legitimate connection. It maintains no information on the state of the previous connections to make decisions for future packets. Due to this, these firewalls can process the packets quickly. However, they cannot apply complex policies to the data based on its relationship with the previous connections. Suppose the firewall denies a few packets from a single source based on its rules. Ideally, it should drop all the future packets from this source because the previous packets could not comply with the firewall’s rules. However, the firewall keeps forgetting this, and future packets from this source will be treated as new and matched by its rules again.
Stateful Firewall#
Unlike stateless firewalls, this type of firewall goes beyond filtering packets by predetermined rules. It also keeps track of previous connections and stores them in a state table. This adds another layer of security by inspecting the packets based on their history with connections. Stateful firewalls operate at layer 3 and layer 4 of the OSI model. Suppose the firewall accepts a few packets from a source address based on its rules. In that case, it will take note of this connection in its stated table and allow all the future packets for this connection to automatically get allowed without inspecting each of them. Similarly, the stateful firewalls take note of the connections for which they deny a few packets, and based upon this information, they deny all the subsequent packets coming from the same source.
Proxy Firewall#
The problem with previous firewalls was their inability to inspect the contents of a packet. Proxy firewalls, or application-level gateways, act as intermediaries between the private network and the Internet and operate on the OSI model’s layer 7. They inspect the content of all packets as well. The requests made by users in a network are forwarded by this proxy after inspection and masking them with their own IP address to provide anonymity for the internal IP addresses. Content filtering policies can be applied to these firewalls to allow/deny incoming and outgoing traffic based on their content.
Next-Generation Firewall (NGFW)#
This is the most advanced type of firewall that operates from layer 3 to layer 7 of the OSI model, offering deep packet inspection and other functionalities that enhance the security of incoming and outgoing network traffic. It has an intrusion prevention system that blocks malicious activities in real time. It offers heuristic analysis by analyzing the patterns of attacks and blocking them instantly before reaching the network. NGFWs have SSL/TLS decryption capabilities, which inspect the packets after decrypting them and correlate the data with the threat intelligence feeds to make efficient decisions.
| Firewalls | Characteristics |
|---|---|
| Network layer firewall | This filters communications based on source and destination IP addresses. |
| Transport layer firewall | Filters communications based on source and destination data ports, as well as connection states. |
| Application layer firewall | Filters communications based on an application, program or service. |
| Context aware layer firewall | Filters communications based on the user, device, role, application type and threat profile. |
| Network address translation (NAT) firewall | This firewall hides or masquerades the private addresses of network hosts. |
| Host-based firewall | Filters ports and system service calls on a single computer operating system. |
Firewall Rules#
A firewall gives you control over your network’s traffic by using rules. Although it filters the traffic based on its built-in rules, some customized rules can be defined for various networks
The basic components of a firewall’s rule are described below:
- Source address: The machine’s IP address that would originate the traffic.
- Destination address: The machine’s IP address that would receive the data.
- Port: The port number for the traffic.
- Protocol: The protocol that would be used during the communication.
- Action: This defines the action that would be taken upon identifying any traffic of this particular nature.
- Direction: This field defines the rule’s applicability to incoming or outgoing traffic.
Types of Actions#
The component “Action” from a rule indicates the steps to take after a data packet falls under the category of the defined rule. Three main actions that can be applied to a rule are explained below.
- Allow
A rule’s “Allow” action indicates that the particular traffic defined inside the rule would be permitted. - Deny
A rule’s “Deny” action means that the traffic defined inside the rule would be blocked and not permitted. These rules are fundamental for the security team to deny specific traffic coming from malicious IP addresses and create more rules to reduce the threat surface of the network. - Forward
The action “Forward” redirects traffic to a different network segment using the forwarding rules created on the firewalls. This applies to the firewalls that provide routing functionality and act as gateways between different network segments.
Directionality of Rules#
- Inbound Rules
Rules are categorized as inbound rules when they are meant to be applied to incoming traffic only. For example, you might allow incoming HTTP traffic (port 80) on your web server. - Outbound Rules
These rules are made for outgoing traffic only. For example, blocking all outgoing SMTP traffic (port 25) from all the devices except the mail server. - Forward Rules
Forwarding rules are created to forward specific traffic inside the network. For example, a forwarding rule can be created to forward the incoming HTTP (port 80) traffic to the web server located in your network.
Windows Defender Firewall#
Windows Defender is a built-in firewall introduced by Microsoft in the Windows OS. This firewall contains all the basic functionality for creating, allowing, or denying specific programs or creating customized rules.
We can open this firewall by opening the Windows search and typing “Windows Defender Firewall.”
The Windows Defender Firewall’s home page shows the “Network Profiles” and the available options.
Network Profiles#
There are two available network profiles. Windows firewall determines your current network based on Network Location Awareness (NLA) and applies that profile firewall settings for you. We can have different firewall settings for each of them.
- Private networks: This includes the firewall configurations to apply when connected to our home network.
- Guest or public networks: This includes the firewall configurations to apply when connected to a public or untrusted network like coffee shops, restaurants, or similar. For example, when connecting to public networks, you can configure firewall settings to block all incoming network connections and allow only some outgoing connections that are essential for you. These settings will apply to the public network profile and will not be implemented when you are in your private home network.
Custom Rules#
Windows Defender Firewall allows you to create custom rules for your network to allow/disallow specific traffic as needed.
To create a custom rule, choose “Advanced Settings” from the available options in the main dashboard. This will open a new tab where you can create your own rules.
Let’s create an outbound rule to block all our outgoing HTTP and HTTPS traffic.
- For this, click on the Outbound Rules option on the left side, then click on New Rule on the right side. It will open the rule wizard.In the first step, select the Custom option and press Next.
- In the second step, select All programs from the next option and press Next. It will ask you to select the protocol type in the third step. Select the Protocol type as “TCP”, keep the Local port as it is, and change the Remote port to “Specific ports” from the dropdown. Write the port numbers in the field below (in our case, 80,443). Now, click on Next.
- In the Scope tab, keep the local and remote IP addresses as they are and press the Next button. In the Action tab, enable the Block the connection option and press Next.
- In the Profile tab, we keep all the network profiles check-marked. Lastly, the final phase is to give your rule a name and an optional description and press the Finish button.
- We can test our rule by browsing to a website,we’ll get an error message saying we cannot reach this page, meaning the rule works.
Linux Firewalls#
Linux offers multiple firewall options.
Netfilter#
Netfilter is the framework inside the Linux OS with core firewall functionalities, including packet filtering, NAT, and connection tracking. This framework serves as the foundation for various firewall utilities available in Linux to control network traffic. Some common firewall utilities that utilize this framework are listed below:
- iptables: This is the most widely used utility in many Linux distributions. It uses the Netfilter framework that provides various functionalities to control network traffic.
- nftables: It is a successor to the “iptables” utility, with enhanced packet filtering and NAT capabilities. It is also based on the Netfilter framework.
- firewalld: This utility also operates on the Netfilter framework and has predefined rule sets. It works differently from the others and comes with different pre-built network zone configurations.
ufw #
ufw (Uncomplicated Firewall), as the name says, eliminates the complications of making rules in a complex syntax in “iptables”(or its successor) by giving you an easier interface. It is more beginner-friendly. Basically, whatever rules you need in “iptables”, you can define them with some easy commands via ufw, which would then be configuring your desired rules in “iptables”.
- To check the status of the firewall:
sudo ufw status - To enable:
sudo ufw enable - Rule to allow all the outgoing connections from a Linux machine:
sudo ufw default allow outgoing Thedefaultin the command means that we are defining this policy as a default policy allowing all the outgoing traffic unless we define an outgoing traffic restriction on any specific application in a separate rule. You can also make a rule to allow/deny traffic coming into your machine by replacingoutgoingwithincoming`. - Rule to block incoming SSH traffic:
sudo ufw deny 22/tcp - To list down all the active rules in a numbered order:
sudo ufw status numbered - To delete a rule:
sudo ufw delete [rule no]