[clug] Firewall settings on NetGear modem/router?

Paul Wayper paulway at mabula.net
Sat Jun 27 04:21:46 GMT 2009 

On 27/06/09 11:58, Neill Cox wrote:
> Hi Felix,
>
> Unless you are trying to run actual servers on your local network (eg a web
> server for http and https, and a mail server for smtp, pop3 and imap) having
> your firewall allow outgoing traffic should be enough.
>
> If you do need to allow clients on the internet to connect to servers on
> your local machine you are looking for the port forwarding setting on the
> firewall.

It is worth noting here that most firewalls recognise 'established' and 
'related' connections, and let them through automatically.  Basically, the 
firewall keeps a track of what outgoing requests you make - it remembers the 
'ID' of the initial packet that your computer sent out (when requesting the 
web page, or whatever).  Then, when the return packet comes back, it has the 
matching ID and the firewall lets it back in.  All further packets with the 
matching ID are similarly let through; when the connection is terminated by 
either end the firewall closes that door again.

'Related' connections happen for a few services, most notably FTP.  Your 
computer sends an outgoing request to connect to the server on port 21.  Your 
firewall recognises this and listens into that connection.  When your computer 
and the server have agreed on what file to send they also agree to send the 
data on a separate port.  At this point the firewall has listened to the 
'control' connection on port 21 and knows which port the server is going to 
send data to on your firewall, so that port is opened up for that machine. 
Again, when the control connection is complete (both) the openings in the 
firewall are closed again.

So you shouldn't have to open up incoming connections on any firewall that's 
even vaguely modern in order to do your normal outgoing connections.

If you want to run something like BitTorrent to download the latest Linux 
distributions, then you do need to allow certain incoming ports.  This is 
because these protocols work by everyone that's got parts of the file talking 
to eachother - so your computer is talking to others, and others are trying to 
connect to yours, to share bits of the file.  Likewise, if you're running a 
web server then you would need to open port 80 up because other computers will 
be trying to do that first 'initiate' connection to you, and the firewall 
won't know about them beforehand otherwise.

Hopefully that all makes sense and clarifies the issue.

Have fun,

Paul

More information about the linux mailing list