Key Concepts: Packet Filtering, NAT, Stateful vs. Stateless Filtering, and Application-Layer Firewalls

Understanding the key concepts of firewalling is essential for designing and managing secure networks. This tutorial explores the foundational concepts of packet filtering, Network Address Translation (NAT), stateful vs. stateless filtering, and application-layer firewalls, providing a solid foundation for advanced firewalling techniques.

Packet Filtering

Packet filtering is the core functionality of most firewalls. It involves inspecting individual packets of data and deciding whether to allow or block them based on predefined rules.

How Packet Filtering Works

  • Headers: Packet filtering examines the headers of packets, including source and destination IP addresses, ports, and protocols (e.g., TCP, UDP, ICMP).
  • Rules: Rules define the criteria for allowing or blocking packets. For example, a rule might allow TCP traffic on port 80 (HTTP) but block all other traffic.
  • Direction: Packet filtering can apply to incoming (ingress) or outgoing (egress) traffic.

Example of Packet Filtering

Here’s an example of a packet filtering rule in OpenBSD’s `pf`:


# Allow HTTP traffic
pass in on egress proto tcp to port 80
# Block all other traffic
block all

Network Address Translation (NAT)

Network Address Translation (NAT) is a technique used to modify IP addresses in packet headers. NAT is commonly used to enable private networks to communicate with external networks, such as the internet.

Types of NAT

  • Source NAT (SNAT): Replaces the source IP address of outgoing packets with the public IP address of the firewall.
  • Destination NAT (DNAT): Replaces the destination IP address of incoming packets to forward them to internal hosts.
  • Masquerading: A dynamic form of SNAT where the public IP address is automatically assigned (e.g., for home routers).

Example of NAT

Here’s an example of a NAT rule in Linux’s `nftables`:


table ip nat {
    chain postrouting {
        type nat hook postrouting priority 100;
        ip saddr 192.168.1.0/24 oifname "eth0" masquerade
    }
}

Stateful vs. Stateless Filtering

Firewalls can operate in stateful or stateless modes, each with its own advantages and use cases.

Stateful Filtering

Stateful filtering tracks the state of active connections and makes decisions based on the connection state. This allows the firewall to recognize and allow related packets, such as responses to outgoing requests.

  • Advantages: More secure and efficient for managing dynamic connections (e.g., TCP handshakes).
  • Example: Allowing HTTP traffic with stateful filtering in OpenBSD’s `pf`:

pass in proto tcp from any to any port 80 keep state

Stateless Filtering

Stateless filtering makes decisions based solely on individual packets, without considering connection state. This is simpler but less flexible and secure.

  • Advantages: Useful for high-performance environments where tracking state is unnecessary (e.g., UDP traffic).
  • Example: Allowing HTTP traffic with stateless filtering in FreeBSD’s `ipfw`:

ipfw add allow tcp from any to any 80

Application-Layer Firewalls

Application-layer firewalls operate at the highest layer of the OSI model, inspecting traffic at the application level (e.g., HTTP, DNS). These firewalls can detect and block malicious activity that traditional packet filters might miss.

Features of Application-Layer Firewalls

  • Deep Packet Inspection (DPI): Examines the contents of packets to detect malicious payloads or protocol violations.
  • Protocol Awareness: Understands specific protocols (e.g., HTTP, FTP) and enforces protocol-specific rules.
  • Web Application Firewall (WAF): Protects web applications by filtering and monitoring HTTP traffic.

Example of Application-Layer Filtering

Here’s an example of using `mod_security`, a popular WAF for Apache and Nginx:


# Enable mod_security
SecRuleEngine On
# Block SQL injection attempts
SecRule ARGS "@rx select.*from" "id:1234,deny,status:403,msg:'SQL Injection Detected'"

Comparison of Key Concepts

Here’s a summary of the key differences between these concepts:

Feature Packet Filtering NAT Stateful Filtering Application-Layer Firewalls
Layer Network/Transport Network Transport Application
Focus Headers (IP, port, protocol) IP address translation Connection state Application data
Use Case Basic traffic filtering Private-to-public communication Dynamic connections Web application security

Conclusion

Packet filtering, NAT, stateful vs. stateless filtering, and application-layer firewalls are foundational concepts in modern firewalling. Understanding these concepts is crucial for designing secure and efficient networks. In the next tutorial, we’ll dive into OpenBSD’s `pf` (Packet Filter) and explore its features, configuration, and use cases. Stay tuned!

 

 

Check out some Bands on Bandcamp.com. Seven Times Refined by Altogether Steve and the Mercenaries, Crazy Fingers (Vancouver 1991), Flying Butt Pliers, and Hammy Ham Hands.

Proudly powered by a Text Editor, an IDE, an SFTP client, some Internet searches, and more recently help from some AI.

2025 dispelled.ca end of file.