22
2
If your ISP or firewall is blocking all incoming connections, how can web servers still send you data to your browser? You send the request (outgoing) and server sends data (incoming). If you block all incoming, how can the web server respond?
What about video streaming and multiplayer games, where it uses UDP? UDP is connectionless, so there is no connection to be established, so how will the firewall or ISP handle that?
Kunal Chopra
Posted 2015-03-24T04:12:46.017
Reputation: 569
43
"Incoming block" means that incoming new connections are blocked, but established traffic is allowed. So if outbound new connections are allowed, then the incoming half of that conversation is okay.
The firewall manages this by tracking connections state (such a firewall is often called a "stateful firewall"). It sees the outgoing TCP SYN and allows it. It sees an incoming SYN/ACK, and can verify that it matches the outbound SYN it saw, and lets that through, and so on. If it permits a three-way handshake (e.g., it's allowed as per the firewall rules) it will allow that conversation. And when it sees the end of that conversation (FINs or RST) it'll take that connection off the list of packets to allow.
UDP is done similarly, although it involves the firewall remembering enough to pretend that UDP has a connection or session (which UDP doesn't).
gowenfawr
Posted 2015-03-24T04:12:46.017
Reputation: 1 427
1For UDP, since there is no actual connection, the firewall will usually track the destination IP and port of outgoing UDP packets, and if there is an incoming packet with the same IP and port as source it will assume it is a reply and let it in. – WhiteWinterWolf – 2015-03-25T13:16:02.467
17
@gowenfawr has the high-level picture down. However, I thought I'd add some details as to how the "matching" for connection tracking is performed, as it might sound like magic to the uninitiated.
Every TCP connection has a port number of each side. As most techies know, HTTP servers run on port 80. When your browser connects to a web server, it will ask the operating system to generate a "local" port number, which will be something random like 29672 that is not used by any other TCP connection from that computer (and the OS can do this because it knows about all active TCP connections). Then an initial TCP setup packet will be sent from your machine's ip (IP_YOURS) and port number 29672 to the web server's ip (IP_WEBSERVER) and port number 80. At that point, the stateful firewall will say "aha, future packets from IP_WEBSERVER port 80 going to IP_YOURS port 29672 are not new connections, they are responses to an existing connection, and are to be allowed". Stateful firewalls maintain a table, and entires of this table expire eventually if no packets are seen going in either direction for a long time.
Atsby
Posted 2015-03-24T04:12:46.017
Reputation: 270
3This is mostly correct, but, as a couple of minor points, port numbers stop at 65535 (they're 16-bit unsigned numbers) and, in addition to the timeout, packets with FIN or RST flags set can also signal that a TCP connection is now closed. – reirab – 2015-03-24T09:32:43.340
@reirab Oh whoops, yeah port number fail. Wrt closing, it would of course be possible to inspect TCP flags, but having to take into account possible packet loss and retransmission of close sequences is complicated enough that I would assume most firewalls simply repurpose the least-recently-used table entry rather than keeping track accurately. – None – 2015-03-24T09:45:48.373
@atsby You can always edit your post and replace the port numbers with something more suitable? – None – 2015-03-24T13:17:52.300
All of these are great information. Just wanted to add one thing to the ports discussed by above comments. They are called 'ephemeral ports' and their range is defined by kernel specific to each OS. On Linux you can get those by "cat /proc/sys/net/ipv4/ip_local_port_range" --- the default range is "32768 to 61000" – Arul Selvan – 2015-03-24T15:58:50.640
2Block all incoming phone calls/Forward all incoming phone calls to voicemail? Doesn't stop you from calling out to someone. – WernerCD – 2015-03-24T12:37:28.010