This is an attempt I’m making at explaining firewalls for anyone I refer to these pages. If you’re brighter and more informed than I (and you probably are), feel free to contact me at russ@windofkeltia.com and give me a piece of your mind.
If you have a router behind which your host sits, you already have a firewall. Pop up a DOS command line window and type
c:> ipconfig
then press Enter. If your IP address is something like 192.168.?.?, then it’s going to be difficult for someone on the outside to get into your computers unless you configure the router to allow them to get in. Why? Because these addresses that start with 192.168... aren’t routed outside your local network (it’s a convention, kind of like call signs like KGB1634 are only valid on Children’s Band). So no one on the outside can easily reach inside your local area network (LAN) which works using network address translation (NAT) done by your router.
Let’s pretend that your router has you as 192.168.1.3. When your browser sends out a packet to request an HTML page from the web, it says in the packet “I’m 192.169.1.3” Your router says, “Oh, okay, but that’s not a real IP address that I can route onto the Internet. So I’m going to change it to 66.7.114.165 (what my router’s real Internet address is) and then I’ll just remember you sent this request and when I get the answer, I’ll know whom to send it back to.”
The router forwards on the request packet to the web. The packet bounces around via DNS and many other routers until it finds the server with the page. That server returns a packet with part or all of the page back to your router BECAUSE IT DOESN’T KNOW YOU—only your router. Your router gets the reply packet and then says, “Oh, I remember that Russ wanted this HTML page and here it is.” So, the router changes the address in the packet to 192.168.1.3 and sends it out onto the local network wiring which finds your computer.
See? Pretty simple. (Okay, I’ve lied a little bit about some of the stuff to make it simpler, but this is pretty close to what’s going on.)
Also, Windows XP comes with some built-in firewall protection which you only need turn on. I don’t know much about it, but I suspect that it blocks some ports based on configuration data you can change.
It’s a state of not allowing certain IP packets to pass from your computer to the Internet or from hosts on the Internet to your computer. The firewall can either be at your computer or any choke point between your computer and everything else on the Internet (so, your router, your ISP, etc.)
Your router should be allowing traffic to get in and out on port 80 (for HTTP—Internet browsing) and 22 or 23 (ssh or scp—secure shell protocols like WinSCP). Think of your IP address as being the address of the Motel 6 downtown. It’s got one address, but hundreds or thousands of doors (ports) and all of them are completely locked except for 80 and 22 (or 23). Those are the only ones that can be used. Right there, thousands of opportunities to hack your computer are just completely gone. Only 2 remain.
Unless you have special needs, constraining what goes and comes to those ports (via their associated protocols) means there’s little that can happen to you because they can’t get in.
Why is this? It depends on the protocol. Think of a protocol as being a way to do things. Like speaking French or requiring AC instead of DC or having to say please and thankyou or getting the door slammed in your face if you don’t speak good French or use AC or say please. Etc.
So, you have to knock on door 80 and speak in a language and be polite or the people in room 80 will just shut it on you.
Because over port 80, browsers make requests of remote file servers (web servers) for files in HTTP format and they only read them. Browsers cannot, without your explicit permission, save anything into your computer’s file system (disks) or memory outside the browsers program memory space. Also, you cannot edit or store something on a remote computer either using your browser (have you tried viewing a page’s source, making changes then saving it? It doesn’t work). So, port 80 is more or less a read-only port unless and until you say otherwise and it’s infrequent that the browser even ask you if you want to do something that will allow a remote host to write (say, a virus) to your computer.
Over ports 22 or 23 which are typically reserved for use by secure shell (ssh) or secure shell copy program (scp), you can only gain access to a remote computer if it has a username you know plus a password you know.
It’s like the old speak-easies before the Depression: you knock on the door, but if you don’t have the password of the day, they won’t let you in because you might be the cops.
This is why we want unlikely passwords on my web server: we don’t want some hacker randomly trying names (bill, ted, sally, etc.) and stupid passwords (birthdates, phone numbers, etc.).
But, even if a hacker got into your username with your password, what could he do? Nothing except destroy your websites since your user does not have access to other users’ data (my websites, for instance) and especially not to my web server’s operating system data, files, etc.
Plus, on my web server, you cannot authenticate over ssh as root—the superuser or administrator of my server. If you come to port 22 of my web server and say, “I’m the administrator” the bouncer will just shove his fist in your face and slam the door on you.
This is because I don’t allow anyone, even myself, to get into my web server as user root. When I do it, I have to log on first as myself (gadfly—probably not too common a name for an automatic hacker program to try, password—contains letters and numbers that no one can guess even if they know me pretty well, so no birthdays, telephone numbers, etc.), then I have to use the su program to log into root using yet another, difficult-to-guess password.
The reason we no longer use ftp (file-transfer protocol) is because the password is exchanged in the clear and it’s a lot less secure than ssh/scp. Even if someone is sniffing packets off the web (looking at their guts to try to find a password), the password is just a hash valid only for a short time period that is only one part of how the user logs in.
Read this tutorial: Linux Networking-concepts HOWTO.