Hi folks, Ed Amoroso here. Now, to understand packet filtering, there's some basic concepts we have to look at. The way a typical packet filter on a router, or on a firewall would work is that you the user, the administrator, would be presented with a graphical user interface. And all the different components, we call them sometimes columns of information, that you'd have to use to describe or build rules that would dictate whether you're allowing or blocking packets, would be in these respective columns. So I'm going to show you up on screen here a rule. So typically it would have a rule name in the first column, source IP address, second column, destination IP, source port, destination port. The protocols being used, which we're assuming is TCP, the ACK bit setting which you know is so important. And interesting one called the direction of the packet, is it inbound or outbound? Which we'll get to in a minute, and then the action. These are the conditions on which we build rules. Now the addresses, source IP, destination IP. I'd said in some previous discussions that we've had on, if you've been watching other videos, that these IP addresses are provided by ISPs or by network administrators. And they can either be temporary, we've used the word ephemeral. And these are numbers that typically are going to be greater than 1023. But I want to be a little bit more fine grain. From say, 50,000 to 65,000 we call those ephemeral. Those are ones that are going to be very temporary from 1024 to 50k, call those registered. So we put certain types of not exactly reserved and certainly not ephemeral, but there'll be some services that would belong in there. And then yes, from 0 to 1023, that's where our reserved, well known servers exist. You can go off and study this a little bit, it's not that important to your understanding of cybersecurity. But I think it is important to your understanding of how routing and things like that work. If you want to be a network admin, then you gotta dig into that and really understand that logic. But for now we're going to assume greater than 1023 means you're not a reserved address, 1023 and down reserved, fair enough? The reference architecture that we will use will have, and I've got on the screen there, an in network that we say is trusted, an out network that we say is not trusted. And any packet that's leaving the in network is called outbound. Any packet that's leaving the out network, coming to the in network is inbound. Do you follow? That's the direction. Now let's do a couple of very simple rules here that kind of give us some idea of how you might set up some sort of a packet filtering router. Let's say we set up a rule that does something very simple. All it does is it checks to see if a packet has a source IP address that's in, you follow? Source IP address that's in and the direction of the packet is inbound. Now think about that. If you're saying I'm in, but the direction of the packet is inbound, meaning it's hitting that interface on the router, does that make any sense? It doesn't, that means somebody is lying, it's a spoof. Do you follow? So what would I do? Drop the packet, okay? Now similarly, if I had a rule that had an out IP address, outsource IP address. So it's coming from the Internet and technically it should be inbound, but it's labeled as outbound direction. That makes no sense, right? Both of those cases make no sense. They would be called spoof detection and spoof blocking rules. All the other whatever you put as the match in those rules, like whatever you put as the condition, won't matter. So a lot of times we'll use a star, or wildcard, to say I don't care what the source port or destination port is. If I've got a packet that's saying I'm already inside, originating inside, and it's coming directionally in, who cares what the source port is? Who cares what the destination port is? That doesn't make any sense as a packet, you follow? This is how we develop these rules, this is how we do it, these are our tools. We use columns, we use reference architecture, we do matches on the individual cells in each column. And we can use a wildcard when we don't care what matches. And we can build some very powerful rules. Now you're going to see in a minute in a subsequent video this idea that we would develop rules that would specifically block something. You'll see later that they don't make a lot of sense because our philosophy is going to be more toward thinking through what we allow, blocking everything else, versus the result. But we'll get to that later. For now, congratulations on having seen your first packet filtering rules. If you understood that, then you're welcome to the probably 0.1% of people on the Internet who've ever seen a packet filtering rule, and understand how it works. So I hope you've enjoyed that. We'll see you in the next video.
