Re: firewalls

[Dan Ritter <dsr@randomstring.org>]

mick crane wrote: 
> I've never really understood firewalls. I think the idea is that they don't
> let anything in that wasn't requested but if you go on a website there are
> so many hundreds of scripts looking at this and that who knows what happens.

I notice you didn't ask a question, but I'll answer it anyway.

Near the bottom of the stack of networking is a link layer. For
ethernet and related protocols, that means that there's an
address for each interface -- ethernet calls it the MAC address.

If you build a firewall to intercept at this level, you can stop
traffic from specific local sources. That's it. There are
situations where we do this -- layer 2 firewalling -- but they
aren't very common. 

The next layer up, called layer 3, is IP addressing. IP
connections involve IP addresses and IP subprotocols: UDP, TCP,
and so forth. This is where most firewalls operate. An L3
firewall usually starts with a generic directive to drop all
traffic that it doesn't specifically allow, and then has a list
of what to allow to each or all addresses being protected.

So: you can stop all DNS traffic from Cloudflare, but you can't
drop JavaScript embedded in a web page from Google.

To do that, you need what is generically called an
application-layer firewall, and those are usually set up on
individual machines -- though they don't have to be -- and are
frequently supplied with extensive, rapidly-updated block lists.

Some of them you even run *inside* your web browser: uBlock
Origin, for example. Highly recommended.

-dsr-

P.S. you may be wondering why the numbering goes 2, 3,
"application". This is because:

a) the OSI 7-layer model doesn't actually represent real
   networks in this universe
b) everything above layer 3 is kind of squishy
c) most firewalls are actually reflecting the owner's policies
in layers 8 and 9 of the 7-layer model: religion and politics.