When I look at firewalls rule sets maintained by other companies, I often notice the same common mistakes. The one is see most often is potentially the worst. I can speculate on a number of reasons how these rules actually get defined and implemented, but it all comes down to the same thing. They way traffic is evaluated and processed by a firewall is not always understood correctly. The result is a rule that looks like this.
The thinking being that the client needs a way to connect to the web server and that the web server needs a way to connect back to the client. Let me explain why this rule is bad and some of it unnecessary.
Dissecting a Firewall Rule
The very essence of a firewall is to limit or restrict unwanted traffic, it does this by evaluating specific criteria. At its most basic, a firewall rule consists of 5 objects:
Source IP address
Destination IP address
For a TCP rule such as HTTP, the following three step handshake applies:
The source or client is the computer initiating the conversation with a SYN packet. A port is dynamically allocated on the source machine and the request is sent to the destination on the predefined static service port.
The destination or server is the computer receiving the SYN conversation request on the specified static service port. The destination machine sends back a SYN-ACK packet.
The client machine receives the SYN-ACK packet from the destination and sends back a final ACK packet.
This completes the three-way handshake. At this point you have a TCP socket or conversation pair. During the lifespan of the socket, the port number on the source and destination will not change. This socket is now a two way […]