For the Home Technology Enthusiast

Firewall Basics + Port Forwarding




The primary purpose of a firewall is to prevent unauthorized access to your home network from the outside. Firewall comes in and functions in a great variety. Sometimes it is a piece of software running on the home computer and sometimes it is part of a hardware router in the home network and sometimes it is a combination of both.  However, it is at times desirable to create 'holes' in a firewall so that authorized access can be allowed to resources and servers within a home network. For example, one computer within a home network may be setup to serve Web Pages to the public. 


IP Packets

As a prelude to understanding the functionality and configuration of a firewall,  it is helpful to understand certain elements of IP packets and how they are sent through the Internet. IP packets form the basic unit of data exchange between two computers across the Internet. IP stands for Internet Protocol which is the predominant governing specification for exchange of data between computers across the Internet. An IP packet functions as a carrier of user data much the same way an envelope functions as a carrier of user material in regular postal service. 


One difference between the Internet and the regular postal service is that in regular postal service, there is practically no limit to the amount of material an envelope can carry - so long as one is willing to use the required physical size and to pay the required charges. In the Internet on the other hand, there is a maximum amount of data an IP packet can carry. How then is a user to send more than this maximum? The answer is simple - the user simply breaks the ensemble of data into chunks of smaller pieces each of which will fit into an IP packet and sends these chunks to the intended receiver. The receiver re-assembles these chunks and recovers the original data ensemble. This process of breaking up and re-assembly is automatically handled by the computer and its software modules, and is completely transparent to the computer user. This is akin to the hypothetical situation of a postal service requiring that envelopes do not exceed US Letter size and can be no thicker than 1 inch. In this hypothetical situation, a user wishing to send reams of paper would first divide the reams into small 1 inch thick stacks and then put each stack into its own envelope and mails the envelopes with the same 'From Address' and 'To Address', with a sequence number on each envelope to enable easy 're-assembly' of the original stack by the recepient. 


Sending IP Packets across the Internet

The Internet routes or sends an IP packet across the Internet based on the destination IP address specified in the IP packet. The destination IP address is analogous to the 'To Address' that every postal envelope contains. And just as every envelope has a place for the 'From Address', every IP packet has a place to carry the source IP address


In the postal system, the 'To Address' is a very important element. Without this, there is no way for a postal system to deliver the mail to the intended receiving party. For correct delivery, the 'To Address' needs to have at least two components - a ZIP code (or some sort of postal code) and a street address.  The destination IP address is the equivalent of a ZIP code and a street address. And therefore once the intended destination  IP address is specified, the Internet will ensure correct delivery of that IP packet to the corresponding computer. 


TCP/UDP Packets

While IP forms a critical element in the exchange of data between computers across the Internet, there is another piece of information without which the exchange of data won't be complete. That information is contained in the TCP (or UDP) packet that is carried within the IP packet. TCP stands for Transmission Control Protocol (UDP stands for User Data Protocol) and is the unit of data that is exchanged by applications running on the computers.


Referring to the postal system, while a mail is delivered to the correct destination premises based on the ZIP code and street address specified, the delivery process is complete only when the the ultimate recipient - either an individual or group of individuals called out explicitly in that street address - receive that mail. This target recipient is often specified as the 'Name' in the 'To Address'. 


Much the same way, an additional piece of information is included in the TCP (or UDP) packet that enables the delivery of the packet to the correct application within the receiving computer. This additional piece of information is the Port Number. And, similar to an IP packet, the TCP (or UDP) packet has places for both a destination port number and a source port number


The analogy between a postal envelope and a TCP(UDP)/IP packet is illustrated in the figure below.




In summary - 

The IP packet is the basic unit of transmission across the Internet between computers. The TCP/UDP packet is the basic unit of transmission across the Internet between applications running on computers. The combination of destination address in the IP packet and the destination port number in the TCP/UDP packet allows for the correct delivery of a TCP/IP (or UDP/IP) packet to the target application software running in the target receiving computer.


The Port Forwarding Issue

Firewalls stop unauthorized TCP//IP (or UDP/IP) packets from entering the 'protected' side. Unauthorized TCP/IP (or UDP/IP) packets typically are those with disallowed destination IP address(es), disallowed destination TCP port number(s) or a combination of the two. This is illustrated in the figure below.



Port forwarding is simply the setup or 'configuring' of the Firewall to permit entry and exit of TCP/IP and UDP/IP packets with authorized destination IP address(es) and authorized destination TCP or UDP port number(s) to and from the 'protected' side of the firewall (the Home Network in the above illustration). 


Port forwarding is very significant in a home network if one were to host Internet services. By services, we mean applications such as a web (HTTP) server, a file (FTP) server, a email server, etc. Each service is associated with one or more port numbers. Known services such as HTTP and FTP have specific port numbers associated with them - 80 and 21 respectively. For HTTP and FTP services to be accessible from the outside, TCP/IP (or UDP/IP) packets with these port numbers have to be allowed through the firewall. It is important to remember that there are services that require packets with more than one port number to be allowed for full functionality. The firewall therefore needs to be configured accordingly. Most commercial routers sold for home use allow for such firewall configuration by the user.