Sidebar: TCP/IP Headers

Each packet transmitted across the network has a number of headers. The first is the header determined by the physical transport medium. In this case, that is Ethernet. These headers are not relevant to the firewall.

The second set of headers are the IP headers. The IP header contains the source and destination IP address. The firewall code will check these addresses against the specified rules. Besides these addresses, the header also has a TOS (type of service) field, which describes the kind of traffic in the packet. In ftp data traffic, for example, this field will contain the hexadecimal number 8. The TOS field is not used in all packets.

A UDP header does not contain that much information; however, it does specify a source and destination port number. These port numbers can be useful when you want to write rules that allow only certain UDP services.

Last but not least, the TCP header has many fields, only a few of which are of interest. Just like the UDP header, the TCP header also contains a source and destination port number. It also contains a number of bitfields that are used by the TCP protocol to make a TCP connection reliable. These bitfields are used to indicate the state of a packet. In Figure 3 you can see a simplified description of the TCP protocol. It gives you a description of how a TCP connection is established. The SYN and ACK denote when the SYN and ACK fields in the TCP header are set.

You can specify in your firewall rules if the SYN and/or ACK fields should be set or cleared. Thus, you can keep anyone on the Internet from initiating a connection to your firewall by stating that the SYN bit may not be set on any packet that reaches your firewall via the Internet interface. Refusing all SYN packets, however, can cause problems with SMTP and ftp services.