How firewall works?

ocsic669ocsic669 Member Posts: 7 ■□□□□□□□□□
hello everyone,
my question is not specificaly tied to ccnp or cisco per-se ( [IMG]http://www.********.com/forum/public/style_emoticons/default/biggrin.gif[/IMG] ), but i know you will be able to explain it to me, if not point to the right direction.
The doubts i have has to do with how firewall works, not specific cisco firewall, but the SOHO or home firewall you get can get for cheap that doesnt have all that many options.

Let's say for starters, that i don't have any physical firewall at my home, just my windows xp that doesnt even have any software firewall on it, ie. im naked and exposed to internet. I have several
ports open and everybody from internet can try to establish connection with my computer simply using my ip address that my isp gave to me. So lets say my ip is 77.77.77.77. So everybody from internet can try to get top me simply using open ports i have...first thing they'll probably do is get my 139 port. Ho-kay! Now, im smart enough and i get physical firewall that by default puts all my computers on 192.168.1.0/24 and uses pat to translate them to 77.77.77.77 -p (1024-65k).

Now the question,

assuming that the firewall doesn't actually enforce any firewall rules, ie. firewall permits all traffic, what does it mean to hosts on 192.168.1.0/24 as far as security goes? In other words, even if all traffic is permited, outside hosts (on internet), cannot actually get to any of my computers because they have private address? So, if somebody tries to establish connection to 77.77.77.77 139 they would actually try to establish connection with my firewall, correct? Only when i do port forwarding on my firewall and say forward port 139 to 192.168.1.100, only then will a remote host actually get to me. Is this correct?

So, just by installing firewall that actually hides my internal network, all the burden gets on the firewall?
I mean lets say 192.168.1.5 is translated to 77.77.77.77 45454. How can outside host try to establish connection with that computer on a port 23, for example?

Can they "scan" ports on 77.77.77.77 that would actually corespond to local hosts on 192.168.1.0/24?
Or the connection can only be established as a part of my inside initiation, lets say 192.168.1.10 telnets to 4.2.2.2 port 53 and now there is connection to me, but it couldnt be done if i didnt initiate it in first place?


Sorry if this sounds dumb and like a rant, i am trying to understand this topic.
Thx for help!!

Comments

  • kryollakryolla Member Posts: 785
    you're talking about NAT and not firewall. Firewall is packet filtering whether it knows the state of the connection or just filters based on ports. Then they are proxy services and layer 7 filtering etc. But yes you are corrrect on how NAT works and only your router is exposed to the internet and not your internal hosts but by default all or most ports are closed. So when a host sends traffic out it creates a hole or translation entry for the opposite traffic to return. Then if you have a server you can create a static entry for the port.
    Studying for CCIE and drinking Home Brew
  • ocsic669ocsic669 Member Posts: 7 ■□□□□□□□□□
    kryolla wrote: »
    you're talking about NAT and not firewall. Firewall is packet filtering whether it knows the state of the connection or just filters based on ports. Then they are proxy services and layer 7 filtering etc. But yes you are corrrect on how NAT works and only your router is exposed to the internet and not your internal hosts but by default all or most ports are closed. So when a host sends traffic out it creates a hole or translation entry for the opposite traffic to return. Then if you have a server you can create a static entry for the port.


    I am talking abuot both NAT and firewall! :)

    What im saying is, even if the firewall/router doesn't have any firewall config deployed, just default PAT service, then the point of firewall config is to restric outbound access to outside more so than other way around! Right? When the firewall does NAT, then all outside attempts to probe any of the ports on 77.77.77.77 will terminate on firewall. Only when virtual-server (port forwarding ) is configured can specific inside host be exposed (ie 77.77.77.77:80 -> 192.168.0.5:80).

    is this correct?

    again im wondering if i permit all on my firewall, what does it mean to my inside hosts as far as security goes - the inbound connection can happen only as a part of my outbound connection, and not any other way?

    thx
  • miller811miller811 Member Posts: 897
    I don't claim to be an expert, but I sure would like to become one someday.

    Quest for 11K pages read in 2011
    Page Count total to date - 1283
  • ocsic669ocsic669 Member Posts: 7 ■□□□□□□□□□
  • tierstentiersten Member Posts: 4,505
    If you're using NAT/PAT then you can't access internal private IPs from the public side even with the firewall off.

    You should ask this in the Network+ forum or the CCNA forum.
  • kryollakryolla Member Posts: 785
    you have a false security with just relying on NAT whereas a firewall can help secure your internal hosts from malicious activity initiated from when an inside host connects to a server so a firewall will inspect the layer 7 messaging and prevent this type of attack or watch your tcp 3way handshake and make sure its legit. A firewall will also help protect your internal servers from attacks like DOS.
    Studying for CCIE and drinking Home Brew
  • ocsic669ocsic669 Member Posts: 7 ■□□□□□□□□□
    Ok, now that makes sense thank you!

    So just by the virtue of deploying pat i hide all my internal network from being exposed from any kind of attack from outside; so the firewall is there to prevent inside hosts from using specific services to the outside as THAT is the only way from outside service to endanger my internal network?

    Hope that makes sense
  • kryollakryolla Member Posts: 785
    ocsic669 wrote: »
    Ok, now that makes sense thank you!

    So just by the virtue of deploying pat i hide all my internal network from being exposed from any kind of attack from outside; so the firewall is there to prevent inside hosts from using specific services to the outside as THAT is the only way from outside service to endanger my internal network?

    Hope that makes sense

    you got it
    Studying for CCIE and drinking Home Brew
  • CyanicCyanic Member Posts: 289
    Don't forget about UPnP, its a lovely little way to open up a NATing home firewall/router to the outside. A good hacker or a poorly written application might be able to open your firewall if they can generate some UPnP traffic on the inside. I have always turned it off.
Sign In or Register to comment.