This is a translation of the german Firewall FAQ, written by Lutz Donnerhacke.
It was translated by Peter Hermanns and may contain errors in grammar and spelling.
If you find errors, either in form and content or linguistic related please write a letter to me.
Which firewall is the best one?

This is a teaser. Best would be to read all the following questions and answers. After you've done that it should be clear which qualities a firewall depends on. The one you choose should depend on your preferences and limiting conditions. The situation is always different.

What is a firewall?

A firewall is an organizationally and technical concept for the separation of networks, its correct implementation and constant maintenance. One piece that's often used is a piece of hardware that connects to networks the way as it's allowed in the concept. This piece of hardware is often called firewall-system/computer or in short firewall.

How does a typical technical implementation of a firewall look like?

First you put a packetfilter between the directly connected networks (network 1 -- packetfilter -- perimeter network -- packetfilter -- network 2). The packetfilters only allow traffic from the directly attached networks. A connection from one network to the not directly attached packetfilter or the other network is strictly forbidden.

The perimeter network is also known as DMZ (Demilitarized Zone). In it there are switching computers for all protocols/services who should work from one net to the other net. Such a switching computer is also known as Proxy, because it works pro procurationem/by proxy (like a secretary). Proxies work on application level, means they understand the communication they handle.

I'm a user. My company has got a firewall, but i have to exchange some data with an associative partner. How can i bypass the firewall?

The security concept of your company wants to prevent you from doing that. If you really need the communication ask your administrator about solutions for your problem. If you bypass the firewall without being allowed to do so your abrogation without notice is justifiable.

I'm a firewall administrator. My boss requires me to execute a designated communication which violates the company's security policy. What do i have to do?

Quit your job. Your work is to prevent such communication. You need the means (LART) to do so. If you don't have the means against someone in any level of hierarchy then you're in a position to be fired. It's your head that falls if something happens. Is your wage high enough to take the risk of not getting a job in the next 10 years? Think about this: the company you work for takes your wages as an insurance premium in case of a mischief.

What is a portscan?

A scan is to find out through extensive try which services a computer offers to the public. A portscan asks about all possible services -- these are 65535 with state and the same amount stateless based on IP -- It's not dangerous, because you don't offer services you don't know. In real life it would be like you're looking at a house. In the internet you "look" with packets, in real life with photons.

A netscan is a complimentary and standardized request of services to a group of computers. In real life it would be the same as looking down a street for an open store.

Like an observer of a house could plan a break in a scan can prepare an attack. But this indicator is really weak.

A scan that goes a bit deeper is a bannerscan. With a bannerscan you contact every public service and detect the server software and it's version number. This is legal, too.

No scan is necessarily a preparation for an attack, nor is it an attack.

I have a "personal firewall" or "desktop firewall" for my personal computer. Is my computer secure?

No. A firewall system without a concept about what to protect is dangerous for the carrier. Without deeper knowledge about such a concept you shouldn't plan and build up such a system.

A desktop-firewall can help you to learn more about your system, but it can't help you being more secure. Better prevent using a desktop-firewall by following the guidelines described in "I have open ports, what are they used for?" and "How can i find out what's happening on my interfaces/network?".

Why can a security solution be dangerous?

man riskcompensation.

Everybody not understanding the effects of a security solution will develop a certain laxity, due to the feeling the system protects him.

Who doesn't think that firewallsystems work, should await questions why he installs such systems.

I installed two desktop-firewalls. Is my computer more secure now?

No, more likely the products interfere the way that new security holes appear.

But my computer is scanned all the time!

Sure? Who cares?

Many of the so called desktop-firewalls report every incoming packet as an attack. This causes panic and a sense of having spent the money the right way. All the people you know cannot live without this protection, too, so you better hurry with calling them ...

In most cases the reported packets are responses to requests you generated by reading a website, getting your email or playing internet games.

With a dialup account and getting a dynamic IP (like with most providers) it's possible to get packets after your dial-in from connections of the predecessor with this IP. It's nothing that's dangerous nor is it an attack.

I recieve packets on wellknown trojan ports!

So what?

If you've got a trojan horse on your computer then you are responsible for the installation. The firewall isn't able to protect you from doing that and it's to late after all.

If you don't have installed a trojan horse the request will be rejected. The firewall does the same so what is the benefit?

But the firewall secures my computer from access to my Windows-shares!

Why are you sharing your harddisk and printers to the entire internet? Why don't you just switch it off?

I heard that someone could access my harddrives without having it shared to the public. Wouldn't a firewall secure me in this case?

You're afraid of crackers (you may call them hackers) because you heared so many rumours. But nobody can do something on your computer with an existing starting point. These starting points could be security holes, backdoors et al. Take care of your system and keep track of all your activity.

A firewall can help, even a desktop-firewall. But only if it's well thought out and maintained. But one question is still there. Why don't you solve the errors in your system? Patches are normally deliverd with the announcement of the security hole.

But the producer of the software doesn't provide patches to fix bugs. So i need a firewall!

You could postulate a regress against the manufacturer of your software, because his product has errors. Only by postulating these pretensions, the manufacturer will learn to deliver service for the money.

On the other side: Why do you buy well known defective technik? If you recognize this error after the purchase you have the possibility of a refund or to give back the product. Making mistakes isn't fatal, but not accepting them is nonexcusable.

Is my desktop-firewall able to block trojans which are installed by accident?

Not necessarily. The trojan could be installed the same way as the firewall. How should the firewall become aware of the trojan then?

I want to configure my firewall the right way, which steps do i have to take?

Deny everything.

If something doesn't work learn what the software needs and why it needs this. Then allow access if you need the software.

Again: Don't allow which isn't by all means necessary.

I had to allow everything, because otherwise Napster won't run anymore!

Deinstall the firewall, you don't need it.

Where can i learn about the protocols and aplications used?

Some sources of information:

Chronological order of what to learn: basics of IP, ICMP, UDP and TCP. After that all protocolls. Start with DNS over UDP (all directions), then telnet. Next is POP3. After that SMTP and HTTP. After FTP you can learn SSH and HTTPS.

Some prefacing remarks and examples can be found at the website of the BSI (in german):

What does all those abbreviations mean?

Most abbrevations are widely used in the internet. Most are defined in the RfC's (Request for Comments --> Internetstandards). The answer to the last question includes an ULR to that. The FU-Berlin has a nice online tool to find acronyms (in german):

How to react in case of an attack!

  1. Is your system compromised in one way or another?

    Goto question number 2

    Switch off your computer from the network and determine the compromising, log it, archive it and unmake the compromise. Then goto question number 2.
  2. Is there a mischief?

    Go on with 3

    Determine the mischief and go on to 3
  3. Can you prefent this "attack" in the future?

    Evaluate alternative solutions. Transcribe those alternative solutions

    Transcribe the sanctions.
  4. Is the expenditure justifiable to complain about it?

    Do nothing.

    Complain about it, find out the responsible ISP.

How do i find out the correct ISP?

whois -h request

As an alternative way you can type in your request in telnet telnet 43

I have open ports, what are they used for?

Most ports have an arranged relevancy, because otherwise nobody could write an application that's independent from the server. contains the actuall list of official declared port-service combinations.

Of course nobody is engaged to use these ports. So if a trojan horse wants to install a service it will use a known port. This way nothing can distinguish the trojan from the "normal" serice at first. Most of the trojan ports were "made" in the last years. They normally have port numbers higher than 1024 and therefore can be opened on a UNIX system without special rights. Every internetservice opens a port this way to be able to communicate. Most trojan horses aren't trojans, but normal remote admisistration utilities who use not assigned port numbers. A general listening to a special port-  means server services -are quite uncommon, for example FTP, Napster, Gnutella, ICQ, ... use the technic of random used ports.

Which programm listens on which port can be found out with lsof -i, which communications are currently active can be found out with netstat -tu and which services are running with netstat -lp. In Windows TDIMon can help you, too:

What protocol/service is XYZ?

There are many protocolls and services. Search the websites of your operating systems or the softwares manufacturer for special protocolls and services. Standard protocolls and services are defined by RfC's:

I get messages that an unknown program wants to open a connection. What can i do?

Reject it. Without further knowledge of the cause you've got to think that your system has been compromised. But be aware that desktop-firewalls most often only deliver the name of the programm which they got as a response to a question to the programm. Or do you believe that trojan horses aren't able to lie? Wouldn't you allow a program named "explorer.exe" the connection to the internet? What about "outlook.exe", "netscape.exe" and so on?

How can i find out what's happening on my interfaces/network?

You can evaluate the logfiles of your desktop-firewall. They aren't that bad for this purpose..

Even though you need a second system to control a possible compromised system it is suggestive to determine the normal operation of your system. On UNIX systems you have tcpdump to observe network traffic. For Windows you can find information here: For a long term observation of your network traffic Snort is worth to have a look at.

What's better? REJECT or DENY?

Reject means an active refuse of a connection attempt with a special ICMP message. The message's content is "The admin doesn't allow this connection" or "service unreachable. The correct form of the message is "port unreachable".

DENY means to throw away the connection attempts. The inquiring computer gets a timeout in this case.

Administrators who bother about script kiddies sometimes believe that they can stop them with DENY. This is wrong. It's possible to start several thousand scans at once and therefore to wait for all timeouts at once. A scanner wont slow down because of this. On the other side you slow down all legitimate users and services. Specifically the IDENT requests.

The ident services gives the administrator of a neat system a help for identifying misbehaving users. DENY has the consequence that this help isn't recorded at other servers. Do you want to hide spammers and script kiddies please use DENY.

Just take it from this point of view:
It's better to say your partner that you're not interested to discuss a special subject (REJECT): Your partner knows from the beginning what's the case and can immediatly decide if he wants to continue the relationship.

If you never talk about a certain subject (DENY) it has two consequences: a) you have to listen to the talking of your partner and this takes your time and b) it takes the time of your partner, because he wanted to tell you something important and would have better done that somewhere else.

Another real life example:
You're walking down the street in your city and a tramp asks you if you can spare some money. You could either say "nope, don't have money" (REJECT) or you could endure the endless mendicancy (DENY).

I'm a firewall administrator. Some users use software which tunnel illicit access through allowed ports. What can i do?

It's almost impossible to provide access to external ressources without giving the chance to tunnel the firewall. You could try to block all targets for those tunnels, but you'll almost always loose this race.

So the only things you can do are the option of LART against your users or the arrangement of so called "white lists", means you can only reach trustworthy servers in the internet. In this case you can't talk about real internet access anymore.

It should be clear in one's mind that it's impossible to solve social problems with the help of technology, regardless how much money you're going to spend on the problem.

netstat shows open ports, but there is nothing running there. What do i miss?

Windows (better netstat for Windows) has a bug. When you establish a TCP-connection from the local system netstat -an shows the sourceport with state listen. But LISTEN in terms of TCP/IP means: here is a server running that accepts TCP connection attempts.
Proto  Local Address           Foreign Address         State      
	tcp       ESTABLISHED 
	tcp  *               LISTEN

Which specialities have to be respected with FTP?

A FTP-connection consists of a command channel, typically to port 21 of the server, and a data channel, typically on port 20 of the server. The direction of the opening of the data channel distinguishs active (from FTP-server to user) and passive (user to FTP-server) FTP.

To show the FTP-server to where he has to open a data connection you send a PORT-command to the server. This command contains the IP address and the port of the users system. The potential risk is obvious. A firewall has to analyse this active FTP, has to retype the PORT command if needed and has to accomodate it's own.

Therefore you should always try to use passive FTP.

Which specialities have to be respected when Netmeeting is concerned?

Netmeeting is an application for the transmission of speach/imaging over packet transporting networks. There are two protocolls used for this:
  • IETF
    • RSVP (ressource management for QoS)
    • SIP (connection establishment)
    • SAP (connection advertising - for public connections)
    • SDP (connection description - for public connections)
    • MGCP (terminal management, successor of SGCP)
    • "skinny" station protocol (original form of MGCP)
    • RTP (speach/image-data stream)
    • RTCP (End-2-End control channel for RTP)
    • Codecs are taken from the ITU-T
  • ITU-T (H.323 protocoll family):
    • H.235 (control channel for security and deduction)
    • H.225 (connection establishment of the signaling system)
      • H.225.0 (signaling as described in Q.931)
      • RAS (call number-, bandwith management)
      • RTP initialising
    • H.245 (connection establishment of speach/image datastream, codec adjustment)
    • H.450 (auxiliary service like uphold, forward, connect, conference)
    • T.120 (other data traffic)
    • RTP (speach/image data stream)
    • RTCP (End-2-End control channel for RTP)
    • Codecs: G.711(a/ulaw), G.729(a)(b), G.723.x, ... (audio), H.26x (video)
Though all protocolls use dynamic addresses from a great range of ports (RTP uses UDP 16384-32767) it's mandatory to read those protocolls on the firewall systems and adjust the rulesets. For Linux you can find at a modul that allows voice-unicast to a service with official IP address, without management of ressources and numbers.

I want to activate another service, but i have problems with the configuration of my packet filter. Where do i get help?

First place to look is the manual of your packetfilter. Is this manual not sufficient ask the support of your local vendor or of the manufacturer. If you're not able to get support on this way then maybe the choice you made was wrong.

For especially obscure problems you can post a message in one of the following newsgroups:

You should pay attention to deliver any protocol descriptions (references to data by URL), an exact explanation of the problem (especially the to be configured packetfilter) and indicate how you tried to solve the problem. Actual workarounds are worth to be mentioned.

It's beneficial to show why a particular service has to be used and in which extent the usage of this service corresponds to your policy. Without this specification the advice to remove the packetfilter is adequate.

How do i configure my system the correct way?

Read the manuals. If they are absent or useless you have an extenuating cause. In the worst case you can assert a recourse.

For some systems there are some websites who encircle the problems:

Why do people in want to take me on a ride? I thought newsgroups are there to help each other?

People who discuss in this newsgroup are well grounded in in the topics in a different level. Newbees meet experts, who are confronted with the same questions over and over again by a never-ending float of beginners.

By and by the experts who read and discuss in this newsgroup for quite some time get fretful, in particular when they see that the questioner doesn't put enough effort in his research to find the answers to his problem(s) on his own. In the end this leads to a sarcastically notation by the experts.

Unintentional the question of a rookie reads like this in the eyes of an expert: "My house is standing at a public street. I don't want people to see my house from the street. I heared that one can see my house with the help of a torch (nmap) even when the sun, moon and street lighting is shut off. How can i protect myself?"

The answer you want to hear is: "There are some really cool OHP transparencies with an imprinting like 'This is not a house.', which you can stick to your windows. Free of charge and extra colorfull are the ones from Zonealarm."

This FAQ should help to keep these unaccomplishable wishes to a minimum or even non-existant i in this newsgroup. It should inspire to think about it.

How do i make myself invisible?

In order to be invisible simply respond with "ICMP - Host/Network unreachable" with the address of your nearest router to every incoming package.

Note: No answer is the same as answering "I'm here and fine.". If you are not there another system will respond with "He's not there". This other system is the nearest router, located at your provider. And if it do so, you weren't connected to the internet.

What's the difference between a hardware and a software firewall?

Almost all hardware firewalls are based on software which runs on selected hardware. The actual advantages of this special hardware are: a) only well tested devices with well tested drivers can be used and b) there is no fault-prone harddisk involved. The first point effaces possible security risks due to dramatically shrinked source code. The second point exalts the uptime.

On the other side software firewalls are more up to date due to higher market pressure and have more features. (sold hardware ties the customers for a longer time.) The drawback is a higher risk of faults in the bigger source code.

Finally there are hardware firewalls without software. These use physical effects. For example: one inch of air is enough to protect a personal computer from network attacks.

I cannot establish a tunnel to other endpoint devices, where do i have to look at?

Is it IPSec or proprietary? If it's IPSec, are the tunnels build by hand or by ISAKMP? If you use ISAKMP, which settings do you use for IKE? Is the communication allowed for UDP packets on the ISAKMP port and permeable for AH/ESP protocols? Are you able to ping?

For mobile users IKE with shared key authentication is widely used. Which parameters are set up? DES/3DES, SHA1/MD5, DH-Group1/2? Is the same shared secret used (possibly called group password) or do you use certificates? Are the IKE-ID's build on names or addresses? Maybe you have to use a peer address (if it's a dynamically assigned address) of or better a netmask.

Can you see the IKE management tunnel? Have you some debugging output? If the management tunnel is established you've almost won.

To be able to configure a client you have to use (not yet standardized) protocols like Uauth (who's the requester?) and mode-config (which IP, DNS, WinS, ... does he get?). Does it fail on these protocols? If yes there is nothing left like building a PPP connection over IPSec. If you want to transmit broadcasts (Windows :-/) you have to use L2TP through the PPP tunnel. And then you're going to spit.

If mode-config succeded you need the IPSec tunnels. There you change ID's first, which define the interesting traffic. This has to fit! Of course the algorithms for the tunnels have to fit, too. Is it transparent or tunnel mode? Only with tunnel mode you can reach whole networks! If you use authentication headers the packets don't have to be altered on their way between the devices. You should start with ESP and a simple cipher. You should avoid AH, because you can build a tunnel more stable with ESP and HMAC.

Native address translation (NAT) is almost always harmfull for IPSec, IKE can fail in this case, because the source port could be wrong.

Thanks to: Lutz Donnerhacke, Stefan Heinecke, Heiko Schlenker, Lars Holste, Felix von Leitner, Jens Hektor, Juergen Ilse, Manfred Koerkel, Urs Traenker and many many more :-)