Hi folks, Ed Amorosso here. Now what we're going to do in this video is I'm going to show you how to set up a packet filtering set of rules that will allow web browsing. Let's say outbound, let's say your firewall, you got a bunch of users that work in your company or something, you're the admin. And everybody goes, hey, we want to be able to surf the Internet. And you got a default block rule, so you're going to put rules and allow somebody to go out to port 80 services. So we're going to have our towers, rule, SIP, DIP, SP, DP, protocol, ACK, direction, action, right? Those are the rules. So let's look at our first rule. First one is going to be to allow the outbound HTTP syn packet. Now this is how it works, you need a rule in the packet filter that sees the syn packet is going out to port 80, right? It's your browser and your user that wants to go out to this web server and you gotta have a rule that allows the packets. So the first packet is going to be looking for allow outbound HTTP. Source IP is in, destination IP is out, right? If you knew the IP address of the website that'd be great, but you probably don't. People want to be able to surf all kinds of things, so you want to be able to just sort of characterize that it's an out IP address. And your packet filter will come with software that will allow you to set up broad ranges of address. And a good packet filter will have some shorthand like you see on the screen, where it says Out Address. Source port greater than 1023, that means it's client, destination port 80, protocol TCP, ACK bit 0, it's the first one. Direction is outbound, right? And the action is going to be to allow, okay? That makes sense? So when I see all of this, I've got outbound going out to a web server, we're good. The second step is the SYN/ACK packet. That's the response packet that's coming back to your user. So, it's an out address. Destination IP is in. The source port is 80, that's coming from the web server. It's hitting your destination port that's greater than 1023. Protocol, TCP, acknowledgement bit now is 1 and now it's an inbound packet coming to you and we're going to allow that. So you see how we let the first packet and second packet, so we're good. Third one is the ACK that has to go out to the Internet, so it's an in address. Going to destination IP that's out, the source port again is your user greater than 1023, going to port 80, protocol TCP, acknowledge bit 1, direction is outbound. And we're going to allow that. Once you've done that, you've got a session set up. And as long as that ACK bit is set to 1, I have the ability now to transfer data. These rules are going to be sufficient for the three step TCP hand shake and for data to be passing back and forth. It's good news. Now, notice the first and the third rules here in our little set up. How do they defer? They are exactly the same rule except in one the ACK bit is 0. In the third rule, the ACK bit is 1. So you know that regardless of what the ACK bit is, if all the other fields match, it's going to be an allow. So what you can do is put a new rule in that combines the first and third, puts the star in to the ACK field. And you end up with the two rules that you see on the screen there. You see allow outbound with essentially the ACK bit is star. And you see the second rule where the ACK is set to 1. These two rules in some sense are the canonical framework for how you establish packet filtering rules for services on the Internet. Very powerful concept that you can put a rule in, star in the ACK bit, list the source IP and destination IP, source port, destination port. Set them appropriately with those two rules. And you're in pretty good shape. So from this, we will jump off and do some other types of services in subsequent videos. But I wanted to make sure you saw this, when we we focus on HTTP which ultimately is going to be the most important service that we use on the Internet. So we'll see you in the subsequent video. Thanks.
