In order to understand what a router/firewall does, you need to have a general idea of what a network is. I will try to layout the components of a network in a simple yet honest fashion. Once that has been done, I will try to conceptually break down firewalling.

Let's start with a very general network.


In the network you see above we have one Router/Firewall and three computers. The router/firewall on this network provides internet access to the three computers below it. Any data(information) that flows to or from your network is refered to as traffic. So when you send an email, traffic is created on your network. The routers primary job is to route the traffic that is flowing to and from your network. We will go over this in more detail later on.

Let's take another look at this general network.


You can see that this network is divided up into two parts. The WAN(Wide Area Network) is represented in this figure by a blue circle. The LAN(Local Area Network) is represented by a green circle. These networks are kept seperate by your router. Computers on the WAN(internet) can not directly communicate with the computers on the LAN(your network), and computers on the LAN can not directly communicate with computers on the WAN. When a computer on the WAN wants to communicate with a computer on the LAN, the computer on the WAN must send the data your router. The router then passes that data on to the computer in your LAN. The same thing is true for a computer on your LAN. When a computer on your LAN wants to send data to a computer on the WAN, it passes the data to the router. The router then sends that data out on the internet. The router needs to know where it is sending the data before it can send it to the right place.

I'm going to talk about MAC addresses and ip addresses. Every device that can connect to the internet has a MAC(Media Access Control) address. MAC address is somtimes called a physical address. It is called a Physical address because every physical component that connects to the internet has one. This makes the MAC address physical, because you can consider it physically labeled to the device. As far as we are concerned the MAC address never changes. Never changing gives it another property that resembles a physical component.

By itself the MAC address is not all that useful, because computers can not communicate with just a mac address. They need an ip address as well. The ip address is a set of numbers that are bound to the MAC Address. Usually the ip address is bound when the device is turned on. When you boot your computer, it goes on the internet by obtaining an ip address and binding it to the MAC address of your network card. Along with the ip address it also gets the default gateway. The default gateway is the ip address of the router. Now the computer knows how to send information to the internet(through the router), and the router knows how to send information to your computer(to your ip address). One other thing your computer gets when it boots up is a subnet mask. The subnet mask basicly tells your computer how many other ip addresses it has in the group of ip addresses it belongs to. If you want to know more about subnets take a look at our Subnetting page. Well lets go ahead and assign ip addresses and MAC addresses on our network. I'm going to leave the subnet's off. The default gateway for all the computers on this network is the internal ip address of the router.


In the picture above the ip addresses are the numbers that have the 10.0.0.x form. The MAC address have the xx-xx-xx-xx-xx-xx form. These are standard forms of MAC address and IP addresses. The numbers will be different for every network, but MAC addresses will always have dashes and IP addresses will always have periods. Take note that your router has two IP addresses and two MAC addresses. One of your routers ip addresses is an external ip address, the other is an internal ip address. You can think of these two addresses as doors. The external ip address is a door into your network from the internet. The internal ip address is a door from your network to the internet. When a computer on your network wants to send data to the internet, it actually sends the data to the internet ip address of your router. The router then passes that data out onto the internet. When a computer on the internet wants to send data to a computer on your network, it sends the data to your routers external ip address. The router then desides whether it should send that data on to a computer on your network.

When we setup firewalling we are telling the router which computers(IP addresses) we will allow data to be sent to. We can define rules for data that is coming into our network, and data that is traveling out of our network.

Firewalling
Generally when you setup a firewall, you want to set it up to block everything coming into your network. Most people don't really care about what is leaving their network, because they are causing the outgoing traffic to be sent. For instance, a virus free network would almost never catch a virus if it was not plugged into the internet. Viruii come from somewhere, ususally infected computers on the internet. So if you prevent those computers from sending you information, you protect your computers from viruii. The same is true for hackers. Prevent access to your network from the internet, and unless you know a hacker, you will never be hacked. So after everything is blocked, we can then go back an allow the traffic needs to be allowed into the network. Some traffic needs to be allowed into your network applications that require port forwarding. I'm going to write guides on how to block traffic and allow it through various routers. It has to be done per router, because every router is different. Please keep in mind the concepts presented above. Knowing them will make your configuration go much easier.