What is a firewall and how does it work?

Introduction

Whether you just started getting into the subject or are just delving out of curiosity – you’ve probably come across a firewall before.

A firewall is a system that provides network security. It filters incoming and outgoing network traffic based on a set of user-defined rules.
The firewall’s purpose is to limit or eliminate unwanted network communications while allowing all legitimate communication to flow freely.
In most server infrastructures, firewalls provide an essential layer of security that, combined with other measures, prevent attackers from accessing your servers in malicious ways.

In this guide we will try to explain how firewalls work, the mechanics behind such as Nftables and FirewallID, and how they relate to cloud servers. Here’s a quick outline to help you navigate better through this guide:

1. TCP Network Packets
2. Types of Firewalls
3. Firewall Rules
4. Incoming & Outgoing Traffic
5. Firewall Software & Tools

1. TCP Network Packets

Before discussing the different types of firewalls, let’s take a quick look at what Transport Control Protocol, or TCP network traffic means and how it works.

TCP network traffic moves around a network in packets (containers that consist of a packet header). They contain control information such as:

  • Source and destination addresses,
  • Packet sequence information,
  • Data (also called a payload).

The control information in each packet helps to ensure that the associated data is delivered properly. To match packets against firewall rules, the elements it contains also provides firewalls.

PLEASE NOTE: to receive incoming TCP packets, you will need the receiver to send outgoing acknowledgment packets back to the sender.
Also, the combination of the control information in the incoming and outgoing packets between the sender and receiver can be used to determine the connection state: new, established, related.

2. The Types of Firewalls

There exists three basic types of network firewalls:

  • Packet filtering: also called stateless firewalls work by inspecting individual packets in isolation. In short, they remain unaware of connection state. As such they can only allow or deny packets based on individual packet headers.
  • Stateful: Stateful firewalls, which are much more flexible than stateless firewalls, and are able to determine the connection state of packets. Until the connection state can be determined, they work by collecting related packets and before any firewall rules are applied to the traffic.
  • Application: also known as proxy-based firewalls. Application firewalls go deeper by analyzing the data being transmitted. This allows the network traffic to be matched against firewall rules that are specific to individual services or applications.

Available on all modern operating systems, firewall software and its functionality can also be provided by hardware devices (routers or firewall appliances).

PLEASE NOTE: In this article we’re focusing on stateful firewalls running on the servers that they are intended to protect.

3. The Firewall Rules

As we explained, the network traffic that traverses a firewall is being matched against rules in order to determine if it can be allowed through or not.

Let’s imagine you have a server with this list of firewall rules applying to the incoming traffic:

  1. “Accept new and established incoming traffic to the public network interface on port 80 and 443” (HTTP and HTTPS web traffic).
  2. “Drop incoming traffic from IP addresses of the non-technical employees in your office to port 22” (SSH).
  3. “Accept new and established incoming traffic from your office IP range to the private network interface on port 22” (SSH).

PLEASE NOTE: The first words in each of these examples start with either “accept”, “reject”, or “drop”.

The firewall actions are specified so that any incoming network traffic matches such rule.

  • Accept means to allow the traffic through, 
  • Reject means to block the traffic but reply with an “unreachable” error,
  • Drop means to block the traffic and send no reply.

Usually the network traffic is matched against a list of firewall rules in a sequence, or chain, from the beginning to the end.

Once a rule is matched the associated action applies to the network traffic in question. For example, if a employee from the Marketing department tries to establish a SSH connection to the server, they would be then rejected based on rule number 2 and this before rule 3 is checked. However, the system administrator, would be accepted because they would match only rule 3.

Firewall’s default policy

A chain of firewall rules may not explicitly cover all the possible conditions. That means the firewall chains must always have a default policy specified, which consists only of an action:

  • Accept
  • Reject
  • Drop

For example, if the default policy chain above was set to drop, then any computer outside of your office attempting to establish an SSH connection to the server would be dropped because the traffic does not match the conditions of any rules.

Now if your default policy is set to accept, anyone, except your own non-technical employees, would be able to establish a connection to any open service on your server. This would be an example of a poorly configured firewall because it only keeps a subset of your employees out.

4. Incoming and Outgoing Traffic

On the server’s side, network traffic can be either:

  • Incoming
  • Outgoing

Where the firewall maintains a distinct set of rules for both.

It is most likely for a server to allow most outgoing traffic because the server is usually, to itself, trustworthy. However, incoming traffic, is treated differently to outgoing traffic that the server sends.

In any case, an outgoing rule set can be used to prevent unwanted communications, in case a server is compromised by an attacker or a malicious executable.

In order to maximize the security benefits of a firewall, you should definitely identify all of the ways you want other systems to interact with your server, create rules that explicitly allow them and then drop all other traffic.

PLEASE NOTE: the appropriate outgoing rules must be in place so that a server will allow itself to send outgoing acknowledgements to any appropriate incoming connections.

Finally, as a server typically needs to initiate its own outgoing traffic for various reasons like downloading updates or connecting to a database, it is critical to include those cases in your outgoing rule set as well.

Writing Outgoing Rules

Let’s suppose we have set the firewall to drop outgoing traffic by default. This means our incoming accept rules would be useless without complementary outgoing rules.

So to complement these incoming firewall rules: 1 and 3 (refer to the Firewall Rules section) and to allow a proper communication on those addresses and ports, we could use the below outgoing firewall rules:

  1. Accept established outgoing traffic to the public network interface on port 80 ( HTTP) and 443 (HTTPS).
  2. Accept established outgoing traffic to the private network interface on port 22 (SSH).

PLEASE NOTE: For the incoming rule 2 that is dropped, we don’t need to explicitly write a rule for incoming traffic. That’s simply because the server doesn’t need to establish or acknowledge that connection.

5. Firewall Software and Tools

We have seen what a firewall is, its different types, how it works and its rules. Let’s now check common software packages that can help you set a firewall up.

While there are many other firewall-related packages, these are effective and probably the one you’ll encounter most:

Nftables

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. Stable release: 0.9.7 / October 27, 2020; 2 months ago. Nftables replaces the legacy iptables portions of Netfilter.

UFW

UFW, which stands for “Uncomplicated Firewall”, is an interface to iptables that is geared towards simplifying the process of configuring a firewall.

FirewallD

FirewallD is a complete firewall solution available by default on CentOS 7 servers. Incidentally, FirewallD uses iptables to configure netfilter.

Fail2ban

Fail2ban is an intrusion prevention software that can automatically configure your firewall to block brute force login attempts and DDOS attacks.

If you want to learn more about Fail2ban, check out:

Conclusion

We hope this article help you understand what is a firewall, how it works and what rules you should implement to improve your server’s security.

Need help?

You have a question? You need our assistance? Feel free to contact our super friendly Support team available 24/7. Simply reach out using our ticket platform or via our live chat.

Leave a Reply

Your email address will not be published.