 So, a firewall has a role of blocking traffic coming into or out of a computer or a network. If the firewall is running on an individual computer, then it blocks what comes in and out of that computer. But in larger organizations, it makes more sense to run a firewall on a network device like a router so it controls what comes in and out of the network, which covers many computers, not just a single one. And there are different types of firewalls, but a very basic approach is what's called a packet filtering firewall. The other one, stateful packet inspection, we'll see is just an extension of packet filtering and the two types of proxies often used for special cases. So a general type of firewall is a packet filtering firewall. And what it does, it filters packets. So when someone's sending something into our computer, what the firewall software does is looks at the packets coming in and makes a decision. Do I allow it in or do I not allow it in? So do I accept or block the packet? So there's a decision there, so it does some filtering of those packets. Those that are allowed in, okay, those that are blocked are done for security purposes. And similar is going out. So what packets to be filtered? The administrator of the firewall, you, has to create a set of rules to say which packets to allow in, which ones to block. And that's what we're going to go through today is a set of very simple rules that were built up for a firewall for some common cases, but it can be much more complex than that. And the rules for the packets that come in, what the firewall software does is it looks at the packet and makes a decision. And the key things that it looks at in the packet are the packet header information. And the packet information, which is commonly used, the IP address, both the source and destination can be used. So in IP packets, the header contains the source IP address and the destination IP address. So the firewall can look at those field values and make a decision. Do I want to allow this packet coming from this particular source address, or going to this particular destination address? Because the addresses identify, not necessarily human users, but identify computers on the Internet. And sometimes we can relate those IP addresses to human users. So we can make a decision based upon the host of the source or destination, or we can generalize and not just say, allow packets from this particular address, we can say, allow packets from this range of addresses. We don't have to say a specific address, like this subnet, anything from this subnet. The other packet information, many of the packets which our common applications use, using either TCP as a transport protocol or UDP as a transport protocol. There are other transport protocols, but TCP and UDP are very common. And they both support port numbers. So they're both in the TCP header and the UDP header have a source port field and a destination port field. And port numbers identify applications. So it's common that a server application will have a fixed, well-known port number. Clients may be dynamic ports, but most servers have a fixed, well-known port number. So as a result, if we see a packet with a particular port number, we can identify what application is being used in these communications. For example, web servers use port 80. So if the firewall sees a packet where the destination port is port 80, then the firewall knows or makes the decision that this packet belongs to communications between a web browser and a web server. If it's a different port, then it knows it's not web browsing. Maybe it's an email communications using port 25 and there are many other ports. And often policies are designed to accept certain types of applications and reject other types of applications, allow the students to browse to websites, don't allow students to access a game server where a game server may use a different port number. So port numbers can be used to identify applications. We had a quick example yesterday and we'll return to it which used ICMP. ICMP we think is a transport protocol. It's a very special case though and it doesn't use port numbers. So that was a special case yesterday where we didn't have port numbers. On that, are we using TCP or UDP or ICMP or some other special case transport protocol? How do we know? In the IP header, there's a protocol field or protocol number field. And that field tells us, does this packet use TCP, UDP, ICMP or something else? So again, if we want to allow TCP traffic but not UDP traffic, we can use the protocol number field in the IP header to make that decision. Or like yesterday, we don't want to allow pings to work. Ping we know uses ICMP. The protocol number for ICMP is number one, so we can filter based upon the protocol number. So they are five key fields in the packet headers which are commonly included and used by packet filtering firewalls. You could look at other fields and firewalls will look at other fields, but these are the five ones which are the most common. One of the issues which will arise, we'll maybe discuss today and even next week is that a challenge for firewalls is that in large networks, they need to process many packets at a time. There are millions of packets per second coming into the network or going out of the network. For every packet, the firewall must look at the header, make a decision. If the firewall is slow in processing each packet, then the packets are slowed down as they go through the firewall delaying the packets through the network. So one other thing is to have the firewall operate very fast in making a decision and it can be fast if it's looking at fixed predictable headers. There are some other things that we can use to determine whether to accept or not, the direction. So a firewall for on a network device, usually there are at least two interfaces. The one coming from outside, from the external network into our network and the one inside which heads out. So the interface that the packet arrives on may be used to make a decision whether to accept or not. So we'll see some examples of these, especially the first five. So what we do in the configuration of the file is we write rules. And a rule contains a set of conditions, usually using this packet information. Does the IP address equal this value? Does the destination port equal this value? So they are our conditions. We may use the concept of wildcards where we don't have to match a particular value and can match a range of values. And the rules say if these conditions match for a particular packet, then we'll take some action with that packet. And the two common actions are accept the packet, let it go through, or drop the packet. Sometimes we use other words, block, reject, accept, allow, but the concept we either accept or drop packets. And complex typical firewalls will be have a more than one rule, they have a table of rules, a list of rules. In the examples I'm going to start with we're going to assume any rules are processed in order. But that may not be the case in some firewalls, but that keeps things simple, we process rules in order. So let's go through examples, we'll build up some very simple rules to do some control of our traffic into our example networks. We covered an example and we'll recap on what it was yesterday where the firewall was running on a particular computer. Computer 12, let's say it was my laptop in this subnet, and the firewall was some software that I'd installed on my computer. And in this case I wanted to set up my firewall such that if computer 35 tried to ping me then the firewall would block that ping from getting to my, for being processed and as a result I would not reply. That was the aim. Maybe we didn't say and I assumed yesterday, but let's just recap and remind everyone how does ping work? What is ping? We can draw a picture to show what we mean by ping. Let's say we don't block the traffic, then with ping the idea we have computer A or computer 35 in our example network and computer 12, my laptop, the way that ping works is if we show what happens over time, computer 5 if it pings computer 12 the protocol used is ICMP. So what computer 35 does is it sends what we call a ping request or more precise an ICMP echo request to the destination computer. When computer 35 pings computer 12 it triggers an ICMP echo request to be sent to computer 12. When computer 12 receives it it processes and sends back a response, an ICMP reply. And what ping normally does is it repeats, the computer 5 repeats that ICMP request every one second. So sometime later it does that again. Most of you know this already because you've taken the network lab and you've seen ping operate request. So computer 35 in our scenario has a address, it's actually 3.3.3.35 in our example network and computer 12 is in fact 1.1.1.12, they're the IP addresses. So that illustrates the packet flow in ping. So what we wanted to do was on computer 12 itself is to set the firewall such that ping wouldn't work. Well, what do we mean by ping wouldn't work? Well, if someone pings computer 12 it will not reply. If we don't send the reply then of course 35 will not know anything about connectivity to computer 12. Computer 12 cannot stop computer 35 from sending the request. We cannot stop them from sending the request but what the firewall does is once it receives the request the firewall sees it and drops it, so it deletes that packet, before the ping software processes it. So inside computer 12 there's the firewall software and the ping software. If the packet gets to the ping software it will send a reply but what the firewall does is intercepts that packet before it gets to the ping software, drops it so that the ping software doesn't even know about it. So what our approach was in creating the rule was to say, okay, we want to drop this ICMP echo request. So the characteristics of this packet, if we looked into the detail of that packet, if we try and draw the structure of the packet, I will not draw the Ethernet header. We don't necessarily know what network layer, what data link layer technology was used but often would use Ethernet as the MAC layer protocol. I'll simply draw the IP header because ICMP runs on top of the Internet protocol and then the ICMP header. So that's our packet structure. Simply it's an IP header, an ICMP header with some fake data in there, that's what's used in a ping request. The key fields in those headers are in the source address, the IP source address is if it's sent by 33335, that's quite simple. In the IP header, the destination address was going to 111.12. What other field in the IP header is of interest? Look in your slides, the picture of the IP header. There's another field there that's of interest here. There are mainly five, we're going to deal with five very simple fields in our headers. In this case we actually only need three but what's a header field in the IP header that's of interest to us here? The protocol number, in the IP header there's a field called protocol which is the protocol number. It tells us what is inside this IP packet. The field we'll just call protocol, protocol number. The field, the value indicates what's here. What is the value for ICMP? Let's look it up. On my computer there's a file in the protocols. There's a file in the ETC directory that's called protocols and it lists for different, we think here, transport protocols, the corresponding protocol number. IP is zero, ICMP, which is used by Ping, is protocol number one. IDMP, another one which is used for multicast group management, is two. TGP is six. UDP, 17, and there are many others. These are the transport protocols in use. You should remember three of them. So I'll assume maybe in the exam that you can remember that ICMP is one, TGP is six, UDP is 17. We come across them very often so just remember those numbers for the protocol number for transport protocols. Because in our firewall we want to stop Ping from working. We know Ping uses ICMP so we should filter on protocol number one because this ICMP request message would have protocol number one in the header. There are other field values but these three tell us that computer 35 is sending an ICMP message to computer 12. Now what we really should do is we should check the message type. With ICMP it's not just for Ping, it's used for other purposes as well. So we're being broad here and we're going to say in our firewall we're not going to allow any ICMP messages, even if it's not for Ping. So when 35 sends an ICMP request to computer 12 that request would have these three values. The port numbers are not used by ICMP so we don't care about port numbers. So given that's how Ping works what we do in our firewall we create a rule that says if the source IP is 33335 and the destination IP is 11112 the protocol number is one which really means ICMP. I don't care about the source and destination ports, they're irrelevant here. If a packet comes into my firewall which matches those conditions then we take the action to drop the packet. We discard it. As a result when computer 35 tries to Ping my computer the firewall gets the packet, it gets to my computer but the firewall software drops it before it's processed. The Ping software doesn't get a copy and of course no reply is sent. As a result Ping effectively doesn't work. So the rule in our case has these five values, the three ones of importance, so the source IP, destination IP and protocol number. What we'll do is go through some other examples and try and derive the rules that we could use to achieve some aim under some slightly different conditions. Any questions before we move on to some other rules? It's common in quizzes or the exams that you need to write some rules or given some rules, explain what happens. So we'll use some examples to do that. Okay? Easy. Good. Then we can move on. Let's try a different scenario. In this scenario I assume the firewall was running on my laptop, computer 12. That's okay maybe if you have just your home computer but running the firewall on individual computers is not so useful when you have a network like an organization with many computers. It means you need to run the firewall and configure the rules on every computer. So for larger organizations it's more common to run a firewall on a network device like a router. Configure the rules on that one router with the aim of protecting all of the computers inside the subnet. So that's what we'll use for our next example. We'll shift the firewall from a host to a router. So we've got the same network scenario. But let's move the firewall and I'm going to put the firewall on this router. It's a normal router but it also runs a firewall software. Just to be clear on this diagram, this router is connected to two subnets. One subnet on the left is 1.1.1.0 and on the right 1.1.0.0. The way that the subnetting is done is in fact the two subnets on the left 1.1.0 and 1.1.2.0 are in fact subnets of this larger 1.1.0.0. So this is a case of subnets within a larger subnet. The router has two interfaces, the interface on the subnet on the left and interface on the subnet on the right. So it's got, imagine two cables plugged into it and as a result two IP addresses 1.1.1.1 and 1.1.4.1 are the IP addresses of router A which will run our firewall software. And we're going to assume that the subnet on the left is our subnet. It's the subnet which is internal, the one that we want to protect. So what we're trying to do is protect this subnet and all of the computers on that subnet. Well in this case I only show two computers but let's assume there are more than two. So the green subnet is our internal subnet. The rest of the subnets in our simple internet are the rest of the world. So that external, the green is internal. And imagine that there are many computers internally, not just the two show. That's our scenario. Let's consider some different aims that we may want to achieve. Let's say the first one. Let's say we have a secure shell server internally. My aim or my policy is I want to stop, let's get a good example. I want to prevent outsiders from secure shelling SSH into computer 11. That's my aim. I'll explain secure shell in a moment but computer 11 inside let's say it runs a secure shell server. A secure shell server allows someone else to connect and log into that computer. When everyone has done that before, maybe in the lab you secure shell into your friend's computer. You run the secure shell client and connect to the secure shell server on your friend's computer. So we'll imagine that computer 11 runs a secure shell server. Maybe if you're on computer 12 you can log into computer 11. That's okay. But we don't want anyone outside to log into computer 11. Because it's just used for internal purposes. So what we want to do is set up the firewall so that it will block people from outside secure shelling into computer 11. So what we need to do is write a rule where the conditions will summarize as five conditions. Source IP, destination IP, filter based on the first these five conditions, protocol number and the source and destination ports. So when we create the rule for our firewall we will specify what those five values should be to match the packet of interest and then we specify the action to take. So if a packet matches those five conditions then we specify an action. Fill in those values, write the rule yourself. You have the aim, write the rule that will achieve that aim. Computer 11 has a secure shell running on it. When someone let's say on computer 36 wants to try and log in to computer 11 our firewall should stop them from doing that. So when they try and log in their application say on computer 36 sends a packet to computer 11 and it gets to the router RA because that heads into the subnet and there's a firewall software on that router. So before the router sends it on to the destination the firewall checks that packet against the rule. So we're trying to write the rule such that when that packet gets to RA the firewall will drop it. That's what we're trying to do. So what characteristics does the packet have to have that matches someone trying to secure a shell into computer 11? Let's consider the five key packet filtering criteria and first let's look at the IP addresses. If someone here we have the outsiders. If the outsiders want to secure a shell into computer 11 consider the packet that they send to computer 11. What will the destination IP be? The IP address of computer 11. So here the first criteria if the destination is computer 11 that is 1.1.1.11. If someone tries to secure a shell into computer 12 we don't want the firewall to do anything with that. Our aim doesn't say anything about computer 12. So we need to specify computer 11 as the destination. Who should the source be? We want to stop outsiders. So how do we specify that? The computers are generally identified by the IP address. So what should we set the source IP value to be in our firewall rule? What's the value? You wrote it down I think. The source. What if computer 36 tries to secure a shell into computer 11? What's the source address? What's the source address? 3336. What if the computer 35 tries to secure a shell into 11? What if it was computer 47 down the bottom? What if there are 1,000 computers on subnet 3330? Well what's the source address? A couple of ways we can deal with it. Any source address will be the first approach. It doesn't matter what the source address is I don't care who the source is. If it's going to computer 11 and the other criteria meet, block it. So we could say as a broad solution, let's say the source address is any value. I don't care what the value is and a common way we can write any value is to use star, meaning matches anything. So I could set the source address to be star. If a packet comes into our firewall and that packet has any source address, including 35, 36, 47 of course, it will match this condition. If the packet is destined to computer 11 it will match this second condition. Yes. Right, what about computer 12? We don't want to stop computer 12 from accessing computer 11. That's internal, he's not an outsider, he's an insider. Will it match here? Yes it will match, is it a problem? No it's not a problem because computer 12 would not send a packet via the router. Okay, so there's a bit of a trick here in that computer 12 and 11 are on the same subnet. So when they communicate, they don't send via router, there's no need, they send direct. So if computer 12 tries to log into computer 11, the packet doesn't even go to the firewall. The firewall only controls packets coming from outside into our network or going from our internal network out. It doesn't control packets within the internal network. So that case we can cover by using the star. We could have been more complicated here and you can write expressions like the source IP address does not match 1110 slash 24. So we could be more specific and say a negative like it not equal to 111 dot anything. That could be another solution but star is sufficient here. But what if computer 36 is trying to access the web server on computer 11? We don't want to block that. We only want to stop them from accessing the secure shell server. So we can't leave it at this. So we need to identify packets belonging to the secure shell connection. What transport protocol does secure shell use? TCP. You need to know that up front. But many applications we use, email, secure shell, web browsing, database access. Many of them use TCP. Often you'll start to remember everything uses TCP except for a few special cases. So we can specify the transport protocol to be TCP. What number does TCP use? We saw briefly before it's number six, meaning TCP. Now we could say any transport protocol but let's be precise here because we know secure shell uses TCP. Maybe to be more secure we could say any transport protocol star here. I think it wouldn't hurt. But many applications use TCP so we need to be more specific. So we need to consider the port numbers because port numbers identify applications. So destination port should be the port number associated with secure shell which is 22. So in the IP header shown here if the source address is any value the destination address is 1.1.1.11 and currently the protocol number is 6 for TCP. And in the TCP header we're looking at the source and destination port. We want to identify secure shell in the services file on my computer it lists the port numbers. It lists that secure shell uses port number 22. Note that it says that secure shell allows also UDP. So in fact you can use secure shell over UDP it's not very common. So really to be secure we shouldn't specify the protocol number to be 6 TCP we could say star. But in this case it's okay to say 6 just to keep it simple. But importantly port 22. So if the destination port is 22 source port let's say someone opens their secure shell client on computer 35 they send a packet to the secure shell server. Destination port will be 22 source port will be what? What port will the secure shell client use? Not 22. Commonly with clients they get a dynamic port number. When the client starts the operating system gives a port number above 40 something thousand. There's a range of port numbers which are for clients. And the next time the client starts it may get a different port number and then another one and another one. So we can't predict what it will be but we can still use star. Any source port just as an example we'll come back to those rules. If I secure shell into another computer that's the ICT server. I secure shell into there and then look at my connections. I just secure shell from my laptop into 10 10 6 dot 11. And next that shows me that there's a connection. My laptop address is 10 10 108 204. The foreign address or the server was 10 10 6 dot 11. The server port number was 22. I connected from my secure shell client on my laptop to port 22 on the server. What port number did my client use? This value here 55600. If I connect again or to a different server then it will get a different port number. We can try. I'll exit connect again. A new connection is established. The old one is still there. It's closing the old one but the new connection connect to the same IP address port 22. My laptop used now 55601. It's going in order. It's incrementing. So here client port numbers commonly change. Server port numbers are usually fixed. So when computer 35 tries to secure shell into computer 11 the packet that it sends that first packet that it sends to connect. And it will be 35 that initiates a connection. They send the first packet saying I want to connect into computer 11. That packet the source address will match will be one will be 33335. Destination 1111 protocol TCP source port will be some dynamic value 55000. Destination port 22. So when 35 sends that packet and arrives at the router the firewall looks at the packet and compares the packet values with our rule. And it will match those five conditions. Since it matches those five conditions the firewall takes an action with that packet. What action should it take? Drop. Drop or reject or block but don't allow it through. Action computer 6 tries to secure shell into 11. Destination is still 1111. Destination port is 22 using TCP. It will match the rule. The packet will be dropped. Anyone else outside tries to secure shell into computer 11 the firewall will drop the packet. That very first packet from the client trying to connect to the server is dropped. As a result the response from the server never comes back because the server never receives the first packet. So there's going to be no follow up packets. If the client retries it will be dropped again. As a result there will be no connection set up between client and server for the secure shell connection. That achieves our aim. Questions on how blocks secure shell. There are a few issues there. The source IP we set it to any value because we want to capture all of the computers outside. You need to know the port number to identify secure shell. We're assuming that our default action is accepted in this case. The default action is what happens if the rule doesn't match. Once a computer 35 tries to access the web server on computer 11 destination port will be 80. Everything else will be the same. It doesn't match this rule. It doesn't match any rules. We only have one. So we take some default action and at this stage we're assuming the default action is accept. We have a default action and let's assume it's accept or allow. We only have one rule in this simplify wall. Let's keep going through examples. Still assuming the default action is accept let's stop our computer 12. Let's say computer 11 belongs to me. Computer 12 belongs to you. I want to set the firewall so you cannot access websites on this network 3. Maybe computer 35 is a Facebook web server. Computer 36 is another Facebook web server, m.facebook.com. So I don't want you to access those websites anything on network 3.3.3.0. If you're computer 12 you cannot access any website on network 3 then write a rule that will implement that aim. Aim stop computer 12 from accessing websites on network 3. So use a new picture and try and write a new rule. So in this case we're going in the opposite direction. We want to stop someone inside computer 12 from accessing something outside. So we'll have to deal with that. We're still using the default action of accept but we'll come back to or could we do it another way, a default drop? Yes we could. There are some trade offs there. But given we want to accept everything but stop 12 from browsing web servers on network 3 maybe there are many web servers. Even though I've drawn just computer 35 and 36 let's say we don't know how many other computers there. There could be hundreds there. We don't know. We just know that this is network 3 and we don't want them to access anything there. So we need to consider our five conditions. Because IP, what value? Now we want to stop computer 12. So think we want to stop computer 12 from sending out to network 3. So computer 12 sends a packet to some web server on computer 35. Well the source should be that of computer 12. If it's coming from computer 12 and it's destined to who? Well we could write multiple rules. We are not restricted to a single rule. We could write a rule that says if the destination is 33335 do something and then a second rule. If the destination is 33336 write their conditions and then a third rule because there may be more than two computers here. That becomes a little bit tiresome to write a rule for every possible computer and not possible if we don't know how many are actually there. But we know with IP addresses we've got a way to capture all computers on a subnet. We can use the subnet or the network address. The address that identifies all computers on this subnet is 3330 slash 24. This is a special case address that says everyone here. So we can use that as the destination. So this is sort of like a wild card. It means anything that starts with 333. But we take advantage of the fact that IP addresses are assigned to hosts and to subnets. So we capture an entire subnet. Protocol web browsing. Transport protocol still TCP. Protocol number six meaning TCP. Source port. What port number would my web browser use on computer 12? We don't know. It's a dynamic port number. The source port could be 48,162, 60,500 or anything between about 40,000 and 65,000 at the common range. So it could be many values. So we set the condition. It could be anything. Destination port is of interest. Web servers port 80. The rule doesn't or the aim doesn't prevent computer 12 from accessing a secure shell server. We should be able to secure shell into computer 35 but not access the web server. So we do that by specifying the destination port of the web server port 80. Action again drop. Computer 12 opens his web browser, types in the address of 3.3.3.35 as the destination. A packet is sent from computer 12. It gets to the router RA. The firewall looks at that packet. Source matches the first condition. Destination 3335 matches the subnet. It is on that subnet. Transport protocol used by your web browser is TCP, matches the protocol number. Source port, any value matches. Destination port, your web browser sends to port 80. The five conditions match so that packet is dropped. It is not sent out to the internet and therefore it will never get to 35 and nothing will come back. Any questions on how to block our access to our web server? Let's say your computer 12, you really want to access the website on computer 35 or 36. You know this is the rule, how are you going to bypass the firewall? SIT has set up the firewall like this. You realize now there's a rule that blocking the access with this rule, I really want to access it. How are you going to bypass it? Sorry. Use a virtual private network, some proxy server or intermediate server to connect to. Yeah, there's one way. We'll talk about that when we talk about VPNs, how that works. That's one approach. It requires you to have a VPN server. Maybe there's an easier way. Change port, okay, but my web server uses port 80, doesn't it? I can't tell the web server to change the port number. It's maybe the Facebook web server. It listens on port 80. SIT is blocking access to port 80. How can you access this website? Change your IP, okay, so you are computer 12. If you could change your IP address and the rule is blocking specifically computer 12, you move to computer IP address dot 13, then it wouldn't block, all right. What SIT could do is say block all of the 1.1.1 addresses which are assigned to students. So that doesn't help changing the address. You could use a fake source address, all right, so set your address. You can do that quite easily. Set a fake source address to be 7.8.3.4 and that would defeat the rule and bypass. But again, routers are often configured, they should be also configured to say block anything that comes from a fake source address. I think that is not 1.1.1. What else? There's another way. Use a different protocol specifically. You could use a different transport protocol, UDP, but unfortunately our web servers don't communicate using UDP. Some applications may support it, but probably your web server doesn't. There's another one. You're very close. Very simple. VPN, we said, that's not so simple. You need to set up the VPN. Something you can do straight away. Change, we tried to change the protocol, change your IP address, change what else. Someone said change the port. It's related to that. What about HTTPS? HTTP servers use port 80. HTTPS, the server uses a different port number. With HTTPS, the web server is configured to have a secure connection. The web server listens on port 443. So what you do, open up your browser and type in HTTPS, colon slash slash 33335. Same packet is sent except the destination port will be 443. It will go through the firewall because the default is to accept anything that doesn't match this rule. Well, how do we stop that? So when we talk about stopping access to a web server, it's not as simple as just port 80 because many web servers also support actually HTTPS. And therefore we should block port 80 and port 443 because they are commonly used by web servers. So we need to be careful when we set up a firewall. There are many special cases that we could consider that someone may try to use to bypass those rules. Before we look at changing the default, we need to go back to some details about how this connection actually works. Let's say the rule wasn't implemented. And in the same way that we drew the ping packets, in the normal case, ICMP requests, reply. Let's try and draw the packets associated with accessing the web server. It'll become useful later. So we have our, in this case, it was computer 12. Let's say it was accessing one of those computers. This is the client, the browser. And 35 is running the web server, port 80. Browser port we don't know, not so much of interest. What's the first packet, assuming the firewall is not used? What's the first packet sent from browser to server? Does anyone know how web browsing works? Not discover, you've got too much DHCP on your mind. What else? How do we connect to a web server? A TCP syn. In fact, web browsing, the protocol used for web browsing is HTTP. With web browsing, we actually send a HTTP get request to get the web page. The web server sends back a HTTP response with the web page. But before we can send that first HTTP get request, we need to establish a TCP connection. So the very first packet sent will be a TCP message to establish a connection that's called a TCP synchronize or a syn message. TCP involves a three-way handshake to start up. So the packets we would actually see if we captured, the browser or the client, the TCP client sends a syn message. I want to synchronize our sequence numbers. The server sends back a response, the TCP message saying, okay, I acknowledge your synchronize message and similar, I want to synchronize with you. So we say a syn act. And then finally an act comes back acknowledges the syn from the TCP act. This is what we call the TCP three-way handshake or the TCP connection establishment procedure. We set up a connection before we send any data. Then once we've set up the connection, we send data. This is TCP data. What is the data? It would be a HTTP request. There may be a TCP act that comes back. The green one is actually TCP data, but the type of data is a request. And then finally the HTTP response. Again TCP data but containing the web page normally. It may be a final act to complete. So this is commonly the exchange of messages we'll see when we're accessing a website. We first set up a TCP connection from client to server and that involves sending a syn message, a special syn message. There's no data, getting a syn act back which acknowledges the syn received and syn's from the other direction. The syn means synchronize. We actually synchronize the sequence numbers we're going to use in the connection. It also lets the server know we're about to connect. And then a third message which is the TCP act. Those three go together. Then we send data from client to server. The HTTP request for the web page. Maybe there's an act saying thank you for the request or the data. Then eventually the web server sends the web page back in a HTTP response, maybe a final act. If we drew the secure shell connection it was a secure shell client connecting to a secure shell server. It would be similar but not using HTTP messages using secure shell messages. There would still be a TCP connection set up. Every application that uses TCP would look similar for the first three messages, then some data. When we enable the firewall, what does it drop? So this is 12 connecting to 35 but now we turn on the firewall with our rule for Router RA. Which packet is dropped? Our firewall rule was if the source is 12, yes, consider this first packet. Source is 12, true. Destination is on subnet 333, true. 33335 is on that subnet. Destination port is 80, true. Source port is any value, that's true. Transport protocol is TCP. So this first TCP SIN message is the one that is dropped. If the firewall was enabled the browser sends the TCP SIN, it gets to the firewall, the firewall condition matches, the rule says drop. So the TCP SIN will never get to computer 35 and if the SIN never gets to computer 35, the SIN act is never going to come back. It doesn't know anything about the connection. So in fact the rule only needs to drop the first packet in the connection and hence we stop the entire connection. It gets a bit more complicated if we want to do some more allow packets in. We'll see that next lecture. So just be aware of how TCP SIN or the TCP connection establishment works because that's going to be useful to see what if we want to do the same but the default action is dropped or maybe even easier. What if we want to have a default action of drop but allow computer 12 to access the servers on network 3? There's your homework for the next week as well as your assignment. Write a rule such that instead of stop 12 from browsing to a 3.3.0 allow 12 to browse, default drop. Drop everything but allow computer 12 to browse to network 3. See if you can write that rule or rules and then we'll look at some other examples next week and discuss some of the design issues with firewall table rules. So to summarize, I'll write it for you. I know all of you have a lot of free time so I'll give you a bit more homework in addition to the assignment. Allow 12 to browse to servers, default drop. Write the rules for that.