How a firewall works
A firewall is designed to look at the contents of the packet, specifically the header information, to decide whether the data should be allowed into the system or discarded. The firewall uses the source and destination IP addresses from the header, as well as the port number, to help make this decision. A port number represents an application that runs on the system.
For example, the Web server installed on my system runs at my IP address on port 80. The FTP server I am also running on my system uses my IP address but uses port 21 instead of port 80. If I want to allow the public to see my Web site but not my FTP site, then I configure the firewall to allow information to reach port 80, but not port 21. So each TCP/IP application that is running on your system uses a different port number, which is how data is sent to one application and not the other.
My point is that the firewall also uses the port number to decide whether the data should be allowed into your system. For example, I have a Web site at www.gleneclarke.com, so I had to configure my firewall to allow data destined for port 80 to be allowed in. Now, I don't have an FTP server, so I ensured that the firewall disallows data destined for port 21.
It is important to understand that you don't need to open ports on the firewall unless you are hosting your own servers. For example, you don't need to open ports on the firewall to surf the Internet because most firewalls are built to allow responses to data you requested to come back through the firewall.
To enable the firewall feature in Windows XP, follow these steps:
- Go to your network properties by choosing Start → Control Panel → Network and Internet Connections → Network Connections.
- In the Network Connections window, right-click your LAN connection and choose Properties.
- In the properties of the LAN connection, click the Advanced tab to iew the advanced settings.
You will notice a Windows Firewall section at the top of the screen.
- Click the Settings button to enable the firewall.
- Make sure the firewall is set to On.
- You can also build exceptions for information that is allowed to pass
through the firewall by clicking the Exceptions tab.
On the Exceptions tab, you may select which data is allowed to pass through the network card into the system. You may select an existing application from the list or add a program or port by clicking the Add Program button or Add Port button.
- When you have ensured that the firewall is enabled, click the OK buttons to close the windows.
Creating a DMz
Most companies that want to publish their own Web sites or host other types of servers such as FTP servers or e-mail servers need to allow traffic to reach these types of servers. Placing public servers such as these alongside your private network servers is unrealistic because it means that you need to open the firewall to allow traffic into the network to reach these servers.
Most network administrators create a demilitarized zone (DMz) to hold these servers. A DMz is a network segment between two firewalls where you have allowed selected traffic to reach the servers in the DMz. The DMz is different than your private network because you will not allow any content to come into your private network.