Specifications
For such a connection, there would be no entry in the table because, the en-
try itself is only created if an internal host opens a connection with the out-
side. In addition, any established connection is assigned a status entry in the
table and this entry cannot be used by another connection. A second connec-
tion would require another status record.
As a consequence of all this, you might experience some problems with a
number of applications: programs use protocols to talk to each other and
some of these will try to open additional connections or send packets from
the server to your client which cannot be recognized by a simple packet fil-
ter as being valid. Examples of such protocols are ICQ, cucme, IRC (DCC,
CTCP), Quake, and FTP (in PORT mode). Netscape, as well as the standard
ftp program and many others, uses the PASV mode. This passive mode is
much less problematic as far as packet filtering and masquerading is con-
cerned. The FTP protocol opens a controlling connection in addition to the
data connection for the file transfer. In PORT mode, the server opens a con-
nection to the client. In PASV (passive) mode, the client establishes a con-
nection. As stated previously, our setup allows for connections to be opened
exclusively from the internal side, which explains the trouble that FTP will
cause if used in PORT mode.
Firewalling Basics
“Firewall” is probably the most widely used term to describe a mechanism
to link two networks and control the data traffic between them. There are
various types of firewalls which mostly differ in regard to the abstract level
on which traffic is analyzed and controlled. Strictly speaking, the mechanism
described in this section is called a “packet filter.” Like any other type of fire-
wall, a packet filter alone does not guarantee full protection from all security
risks. What a packet filter does is implement a set of rules related to proto-
cols, ports, and IP addresses to decide whether data may pass through. This
blocks any packets that, according to their addresses, are not supposed to
reach your network. Packets sent to the telnet service of your hosts on port
23, for example, should be blocked, while you might want people to have ac-
cess to your web server and therefore enable the corresponding port. Note
that a packet filter will not scan the contents of any packets as long as they
have legitimate addresses (e. g., directed to your web server). Thus, packets
could attack your CGI server, but the packet filter would let them through.
A more effective, but also more complex, mechanism is the combination of
several types of systems, such as a packet filter interacting with an applica-
tion gateway or proxy. In this case, the packet filter rejects any packets des-
tined to disabled ports. Only packets directed to the application gateway are
186 Masquerading and Firewalls