We saw what a firewall can do at the kernel level with port numbers, ip addresses and other filter criteria found in the packet headers.
It is easy to block by tcp or udp port numbers, block all ping packets(wrong), and you could block all packets with TOS byte fields of TCP flags corresponding to a SYN packet. But all that is only good for very basic firewalling. Not very useful in the real world. In the real world we want to block instant messaging, inspect https, look at p2p traffic and not just block but allocate bandwidth fairly and so on. These things require real engineering. The soft of things a networking engineer is supposed to do. QoS is nothing but traffic shaping or rate limiting of packets leaving our network. We can easily control that but what about packets coming to us? Nothing much we can do there. But with QoS we can get fairly good results in controlling network abuse. What if there is a buffer overflow attack or router worms? A firewall should be able to deal with such things. What if you want to do passive OS fingerprinting? A firewall can do that; block all SMTP traffic from Windows hosts. Now URL filtering is what people need. That a firewall cannot do. Only a userspace application can do that. And for that you have to redirect traffic by proxying. That is how you also get SIP, FTP and other traffic work across NAT boxes. A firewall has the important job of port forwarding. What is that? All incoming packets are blocked by default and being a local RFC1918 network they are anyway not going to reach inside. In order to enable that you can do the reverse of NAT. The packets to IP address and port can be rewritten to a local machine's IP and port. This is similar in functionality to ssh port forwarding but it is different in semantics. For port forwarding to work the routing should be symmetric and packets should be seen by the address rewriting engine(firewall) in both directions. We normally get this wrong and suffer in agony. There is a lot of other load balancing, traffic distribution and other advanced stuff that a firewall should do but even to get this far is quite a challenge. Firewalls should be able to separate network segments and manage what is called as DMZ where you can host your applications; which are accessible from outside world but you can't get into any other local machine from there. Unless of course you run the VPN software in it. ;) -Girish -- Gayatri Hitech http://gayatri-hitech.com _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
