TCP Connections and Well-Known Ports

Before an application can use TCP to send data, TCP creates a TCP connection. The first TCP segment that is used to create a TCP connection sets the SYN flag bit (short for synchronize) to binary 1. TCP headers include a set of flag bits in the header, such as the SYN flag, and those flags are used for functions like this three-way connection establishment. For instance, the second segment has both the SYN and the ACK bits set, which is what TCP protocols define as the correct flags to be set in the second TCP segment in the three-segment TCP connection establishment flow.

Figure 18-5 shows an Internet-based client (C3) sending a segment with the SYN bit set to http://www.fredsco.com. The firewall, seeing that segment, knows that C3 is initiating the connection. How? Well, the only TCP segment that has the SYN bit set, and only the SYN bit, is the first segment sent between a pair of hosts. So, the first segment in the figure is indeed the first segment of a new TCP connection. To identify who sent the packet, all the firewall has to do is look at the source IP address of the packet. The firewall can also look at the destination IP address to know who's the receiver of the TCP connectionin this case, 1.1.1.1.

Firewalls also need to know what application protocol is in use. Back in Chapter 9, "Choosing Shipping Options When Transporting Goods over the (Network) Roadway," you read about how each server uses a well-known TCP or UDP port number. That way, when a client such as C3 wants to browse the http://www.fredsco.com website, the client can use a destination port number of 80the well-known port number for HTTP.