Internet Security

Skip to Main Content »

Have a Question? Call Us!
Toll Free: 877.449.5102

Welcome to NTSecurity.com

You're currently on:

How Firewall Rules Work

31/10/2012 Firewall rules are the set of instructions defined by security administrator in an organization. Firewall rules are defined for inbound and outbound network traffics individually, and are used to allow or deny the packets on the basis of their services, user accounts, protocols, port numbers, source addresses, destination addresses, etc.

Firewall Rules

Firewall rules are the set of instructions defined by security administrator in an organization. Firewall rules are defined for inbound and outbound network traffics individually, and are used to allow or deny the packets on the basis of their services, user accounts, protocols, port numbers, source addresses, destination addresses, etc.

Inbound and Outbound Firewall Rules

Inbound Rules – Security administrators create inbound firewall rules to monitor all incoming packets. When a network interface card (NIC) receives an incoming packet, it is checked against the inbound firewall rules. If the incoming packet falls under the criteria of any rule, the firewall takes appropriate action. Types of actions that firewalls can take are:

  • Allow – If an incoming packet meets the criteria of allowed inbound rules defined in the firewall, the packet is allowed to enter the network or computer.
  • Deny – If an incoming packet is unknown, or if it meets criteria of deny rule in the firewall, the packet is denied. When firewall denies a packet, it sends an ICMP message to the source machine informing that the destination host is unreachable. After receiving the ICMP message, the source application or host aborts the connection and quits retrying, hence saving the network bandwidth.
  • Drop – When a firewall is configured to drop a packet and if the incoming packing is unknown or meets the drop criteria of the rule, no message is sent to the source host or application. If a connection oriented protocol, such as TCP, is used to transfer a packet, and no acknowledgment about the transferred packet is received from the destination host, the source host keeps resending the packet till it receives the acknowledgement or the resending threshold exceeds its limit. Since no information about the dropped packet is sent to the source host, the source host keeps transferring the packet, hence uselessly consuming additional networking bandwidth. Because of this reason, configuring a firewall to drop a packet is not considered a good practice in most network setups.

Outbound Rules – Outbound firewall rules are created by security administrators to monitor all outgoing packets that leave a computer or network on which firewall rules are applied. Monitoring and limiting the destinations of outgoing packets is equally important because a packet that leaves a host contains its source information which can be captured and misused by hostile users to gain unauthorized access to sensitive information that the source computer or network may have. Main reasons for a packet to leave a source host can be:

  • Remote Applications/Services – When any application or service that resides on a remote computer or network requests information from a local computer or network, the corresponding packets may leave the source host fulfill the request. If appropriate outbound rules are created and applied, the firewall doesn’t allow the packets to leave the source on the basis of destination network address, port number, protocol, etc.
  • Local Applications/Services – When any application or service from a local host requests information from a remote location, the corresponding packet may leave the local NIC to gather the requested information. An example can be a user opening a particular webpage. If appropriate outbound rule is applied, the firewall stops the packets containing the requested information to leave the source on the basis of destination domain, port number, protocol, etc.

Defining Firewall Rules

While defining inbound or outbound rules, security administrators must consider a few points and then define the rules as per the needs. Points that they must consider are:

  • Rule Type – Security administrators must know what type of inbound/outbound rule they want to create. Rules can be for:
    • Program – An inbound/outbound firewall rule created for a program monitors its communication and takes appropriate action as specified in the rule.
    • Port Number with Protocol – Firewall rule can be defined more granularly when created on the basis of port numbers along with their corresponding protocols. For example, a precise rule can be created for HTTPS pages that use TCP 443 port. Another rule can be created for HTTP pages using TCP 80 port. Different rules must be defined for connection-oriented (TCP) and connection-less (UDP) protocols.
  • Action – Once a rule type has been defined, appropriate action for the defined rule must be specified. As mentioned earlier, action can be either to allow, deny or drop a packet. Considering above example, if allow rule for HTTPS TCP 443 is defined, the firewall will allow the packets coming from secured source to enter the receiving host. Likewise, if deny rule for all HTTP TCP 80 pages is defined, any incoming packet from a non-secured webpage would be denied by the firewall.

Handling firewalls and creating inbound and outbound rules is a sensitive task and must be done only by highly skilled and experienced security administrators.

 4.20 out of 5 based on 24 reviews

How Firewall Rules Work

31/10/2012

Firewall Rules

Firewall rules are the set of instructions defined by security administrator in an organization. Firewall rules are defined for inbound and outbound network traffics individually, and are used to allow or deny the packets on the basis of their services, user accounts, protocols, port numbers, source addresses, destination addresses, etc.

Inbound and Outbound Firewall Rules

Inbound Rules – Security administrators create inbound firewall rules to monitor all incoming packets. When a network interface card (NIC) receives an incoming packet, it is checked against the inbound firewall rules. If the incoming packet falls under the criteria of any rule, the firewall takes appropriate action. Types of actions that firewalls can take are:

  • Allow – If an incoming packet meets the criteria of allowed inbound rules defined in the firewall, the packet is allowed to enter the network or computer.
  • Deny – If an incoming packet is unknown, or if it meets criteria of deny rule in the firewall, the packet is denied. When firewall denies a packet, it sends an ICMP message to the source machine informing that the destination host is unreachable. After receiving the ICMP message, the source application or host aborts the connection and quits retrying, hence saving the network bandwidth.
  • Drop – When a firewall is configured to drop a packet and if the incoming packing is unknown or meets the drop criteria of the rule, no message is sent to the source host or application. If a connection oriented protocol, such as TCP, is used to transfer a packet, and no acknowledgment about the transferred packet is received from the destination host, the source host keeps resending the packet till it receives the acknowledgement or the resending threshold exceeds its limit. Since no information about the dropped packet is sent to the source host, the source host keeps transferring the packet, hence uselessly consuming additional networking bandwidth. Because of this reason, configuring a firewall to drop a packet is not considered a good practice in most network setups.

Outbound Rules – Outbound firewall rules are created by security administrators to monitor all outgoing packets that leave a computer or network on which firewall rules are applied. Monitoring and limiting the destinations of outgoing packets is equally important because a packet that leaves a host contains its source information which can be captured and misused by hostile users to gain unauthorized access to sensitive information that the source computer or network may have. Main reasons for a packet to leave a source host can be:

  • Remote Applications/Services – When any application or service that resides on a remote computer or network requests information from a local computer or network, the corresponding packets may leave the source host fulfill the request. If appropriate outbound rules are created and applied, the firewall doesn’t allow the packets to leave the source on the basis of destination network address, port number, protocol, etc.
  • Local Applications/Services – When any application or service from a local host requests information from a remote location, the corresponding packet may leave the local NIC to gather the requested information. An example can be a user opening a particular webpage. If appropriate outbound rule is applied, the firewall stops the packets containing the requested information to leave the source on the basis of destination domain, port number, protocol, etc.

Defining Firewall Rules

While defining inbound or outbound rules, security administrators must consider a few points and then define the rules as per the needs. Points that they must consider are:

  • Rule Type – Security administrators must know what type of inbound/outbound rule they want to create. Rules can be for:
    • Program – An inbound/outbound firewall rule created for a program monitors its communication and takes appropriate action as specified in the rule.
    • Port Number with Protocol – Firewall rule can be defined more granularly when created on the basis of port numbers along with their corresponding protocols. For example, a precise rule can be created for HTTPS pages that use TCP 443 port. Another rule can be created for HTTP pages using TCP 80 port. Different rules must be defined for connection-oriented (TCP) and connection-less (UDP) protocols.
  • Action – Once a rule type has been defined, appropriate action for the defined rule must be specified. As mentioned earlier, action can be either to allow, deny or drop a packet. Considering above example, if allow rule for HTTPS TCP 443 is defined, the firewall will allow the packets coming from secured source to enter the receiving host. Likewise, if deny rule for all HTTP TCP 80 pages is defined, any incoming packet from a non-secured webpage would be denied by the firewall.

Handling firewalls and creating inbound and outbound rules is a sensitive task and must be done only by highly skilled and experienced security administrators.

Rating :
4.20 out of 5