Core Concepts

This guide is intended to teach users how to understand firewall technologies, and how to configure common firewall software in order to enhance the security of their home systems. This guide is a working document and as firewall software evolves we will update our guides accordingly in a timely manner. The terminology used is intended to be as simple as possible, so misuse of basic nomenclature is intended by the authors if it simplifies the topics to help users grasp the basic concepts.

What is a firewall?

Firewalls are software that blocks unwanted network traffic. It stops unwanted transmission of information to and from applications in your device. A firewall is an effective way to prevent software from talking to other devices on your network or on the Internet, while still allowing some applications to fully utilize the Internet.

Ports 

With standard IP networking over the Internet, you have packets that flow in and out of your device. These packets have metadata that includes coded information that tells the destination some basic information about the packet. For example, it helps to differentiate between a webpage you are loading in your browser, and a Windows update that is being installed at the same time. The way that your computer differentiates the data that is going to Windows update and the data that is going to your web browser is port numbers.

Port numbers are numbers between 1 and 65535 that are tagged to packets to identify what they are being used for. Some port numbers are reserved for common functions. For example a packet that is tagged for port 80 is usually for http web browsing, and a packet that is tagged for port 443 is for https web browsing. Some software uses multiple ports to function.

Knowing the port numbers you need to leave open, and closing every port you don't need is a common method of preventing unknown software flaws from being accessed remotely.

TCP and UDP

The two overwhelmingly dominant protocols used for networks and the Internet are the Transport Control Protocol and the User Datagram Protocol. It is important to know if your particular application uses TCP or UDP, as you want to disallow traffic from the protocol that your applications don't use. For example, DNS is UDP port 53. It doesn't use TCP. This means that TCP port 53 can be blocked and web browsing will be unaffected by the firewall.

Advanced Firewalls Featuring Deep Packet Inspection

Firewall technology in the last 5 years has made large leaps, and now consumer firewalls can read packet data (not just metadata) and determine whether the traffic should be allowed to transmit or be received by the software. This technology allows firewalls to determine more advanced behavior such as allowing packets for one application that uses a port, and disallow another application that uses the same port. A good example would be allowing traffic for Mozilla Firefox but blocking all traffic for Internet Explorer, even though both of these applications use ports 53, 80, and 443. More primitive firewall software is unable to distinguish which application is going to use the data, so it was an “everything is allowed” or “nothing is allowed” situation for each port. Deep Packet Inspection (DPI) changed this and now firewalls can allow only certain applications to send and/or receive data on a specific port. DPI enabled firewalls are often called “application layer firewalls” or “web application firewalls”. They do have limitations. A deep packet inspection firewall cannot read encrypted data, only the metadata of encrypted packets.

Other types of firewall configurations

Aside from the firewall configurations above, you can also set firewalls to ignore traffic to or from specific IP addresses and some advanced firewalls can block packets based on keywords or strings of code in the packets. For example, if you wanted to drop all packets that contained the word “sex”.

Blacklists and Whitelists

Blacklists and whitelists refer to the type of blocking that is going on with the firewall. A blacklist is a list of criteria to block. So a blacklist rule on your firewall would block everything in the rule, and allow everything else. A whitelist is the exact opposite behavior. A whitelist rule on your firewall only allows the things specified in the rule, and blocks everything that doesn't meet that rule.

Which Ports need to be closed or opened for a home network?

There are basic ports that computers need for Internet connectivity. These ports allow a computer to get an IP address from a router, send out domain name requests so that your computer can find the IP addresses for websites, and actually allow the data for websites to flow to your PC.

The most critical ports, the ones that you need for basic Internet connectivity, are the following:

UDP port 53 – DNS (Domain Name Service) – This service is required for your device to be able to resolve domain names. This is turning domain names (like https://VikingVPN.com) into IP addresses so your computer knows where to find the web server to fetch the web content.

UDP port 67 and UDP port 68 – DHCP (Dynamic Host Control Protocol) – This service is required for your computer to be able to get an IP address, default gateway, and DNS information from your router. These ports can safely be blocked if you have set up a static network, where addresses are assigned manually and do not change.

TCP port 80 – HTTP (Hyper Text Transfer Protocol) – This service is required in order to be able to actually fetch data from unencrypted websites.

TCP port 443 – HTTPS (Secure Hyper Text Transfer Protocol) – This service is required in order to be able to fetch data for secure websites.