When C3 first sends the IP packet with the initial TCP segment,
the firewall notices that the segment has the SYN bit set. The firewall then
considers the interface in which the packet arrivedin this case, the interface
connecting the firewall to the Internet. In firewall lingo, that's called the
outside interface because it's
outside the network that the firewall is trying to protect. The firewall also
notices that the segment had destination port 80 in it, which is used for
HTTP.
The firewall then looks at the rules that the network engineer
configured for it. It appears that HTTP (port 80) traffic from the Internet
(meaning from the "outside") to that web server (IP address 1.1.1.1, on the
inside interface) is indeed
allowed. In other words, clients on the Internet should be allowed to hit
www.fredsco.com because that server is intended for customer use. So, the
firewall passes this packet and all subsequent packets that are part of this
single TCP connection.
The firewall uses similar logic to stop packets that should not
be allowed. Imagine that C3 tries to open a browser to go to int.fredsco.com,
one of Fredsco's internal web servers, whose IP address is 1.1.1.2. Figure 18-7 outlines the logic.
Sections
Comments (0 posted)
Syndication
