Network Administration: Packet-Filtering Firewall

A packet-filtering firewall examines each packet that crosses the firewall and tests the packet according to a set of rules that you set up. If the packet passes the test, it’s allowed to pass. If the packet doesn’t pass, it’s rejected.

Packet filters are the least expensive type of firewall. As a result, packet-filtering firewalls are very common. However, packet filtering has a number of flaws that knowledgeable hackers can exploit. As a result, packet filtering by itself doesn’t make for a fully effective firewall.

Packet filters work by inspecting the source and destination IP and port addresses contained in each Transmission Control Protocol/Internet Protocol (TCP/IP) packet. TCP/IP ports are numbers that are assigned to specific services that help to identify for which service each packet is intended. For example, the port number for the HTTP protocol is 80. As a result, any incoming packets headed for an HTTP server will specify port 80 as the destination port.

Port numbers are often specified with a colon following an IP address. For example, the HTTP service on a server whose IP address is 192.168.10.133 would be 192.168.10.133:80.

Literally thousands of established ports are in use. A few of the most common are in the following list.

Well-Known TCP/IP Ports
Port Description
20 File Transfer Protocol (FTP)
21 File Transfer Protocol (FTP)
22 Secure Shell Protocol (SSH)
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name Server (DNS)
80 World Wide Web (HyperText Transport Protocol; HTTP)
110 Post Office Protocol (POP3)
119 Network News Transfer Protocol (NNTP)
137 NetBIOS Name Service
138 NetBIOS Datagram Service
139 NetBIOS Session Service
143 Internet Message Access Protocol (IMAP)
161 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
389 Lightweight Directory Access Protocol (LDAP)
396 NetWare over IP
443 HTTP over TLS/SSL (HTTPS)

The rules that you set up for the packet filter either permit or deny packets that specify certain IP addresses or ports. For example, you may permit packets that are intended for your mail server or your web server and deny all other packets.

Or, you may set up a rule that specifically denies packets that are heading for the ports used by NetBIOS. This rule keeps Internet hackers from trying to access NetBIOS server resources, such as files or printers.

One of the biggest weaknesses of packet filtering is that it pretty much trusts that the packets themselves are telling the truth when they say who they’re from and who they’re going to. Hackers exploit this weakness by using a hacking technique called IP spoofing, in which they insert fake IP addresses in packets that they send to your network.

Another weakness of packet filtering is that it examines each packet in isolation without considering what packets have gone through the firewall before and what packets may follow. In other words, packet filtering is stateless. Rest assured that hackers have figured out how to exploit the stateless nature of packet filtering to get through firewalls.

In spite of these weaknesses, packet filter firewalls have several advantages that explain why they are commonly used:

  • Packet filters are very efficient. They hold up each inbound and outbound packet for only a few milliseconds while they look inside the packet to determine the destination and source ports and addresses. After these addresses and ports are determined, the packet filter quickly applies its rules and either sends the packet along or rejects it. In contrast, other firewall techniques have a more noticeable performance overhead.

  • Packet filters are almost completely transparent to users. The only time a user will be aware that a packet filter firewall is being used is when the firewall rejects packets. Other firewall techniques require that clients and/or servers be specially configured to work with the firewall.

  • Packet filters are inexpensive. Most routers include built-in packet filtering.