(Ebook) SmoothWall Basic TCP-IP Networking Guide
(Ebook) SmoothWall Basic TCP-IP Networking Guide
Guide
Edited by: Guy C. Reynolds
Guy C. Reynolds
Introduction
Page 4
Introduction
This document is designed to introduce non-expert users (particularly those with little or
no previous networking experience) to some of the terminology and principles that it is
useful to understand when itcomes to dealing with not just a private network of
computers, but also the larger interconnected series of networks that comprise the
Internet.
Topics that will be discussed in some detail are listed below - the information included in
this document should be sufficient to enable secure configuration of a SmoothWall
system, and hence ensure that the private network that is subsequently connected to the
Internet remains just that - private and secure. If you already know the principles of
networking and how to configure an IP-based network you will find much of the following
information redundant.
Networking Principles
Page 5
Networking principles
To best discuss networking, and TCP/IP networking in particular, it is perhaps best to
take a step back from the details and to briefly consider what a network is, and how it all
works, which is the intent of this first section.
What is a network?
The answer to that is most easily described (in the context of a network of personal
computers) by stating that a computer network is a number of interconnected computer
systems, each able to communicate with one another, and to move and share data
between individual systems, often known as nodes.
In order to be able to communicate between different, independent computer systems,
there has to be an underlying common mechanism in place so that each system can
both talk and listen to other systems. This mechanism can be viewed as a number of
parts:
Hardware
The system (for the remainder of this document it is assumed, unless stated otherwise,
that the system in question will be a PC) has to be able to communicate with the rest of
network. This can be by means of a piece of cable, infrared or radio waves, or by some
other format that is suited to the rest of the network. So that this becomes possible the
PC has to be able to communicate at a very basic level with the hardware that provides
the interface to the network - this is normally by means of a piece of software called a
driver which provides the necessary code to permit communication.
Protocol
Once a PC has been attached to the network it is necessary to have some form of
common method of communication, or disparate nodes will be unable to understand the
communications passing between them on the network. As an analogy, if you happen to
be fluent in English, French, and German, but end up in the middle of China, your
language skills will not be of much use to you unless you can also find an interpreter who
speaks a common language to yourself.
There are a number of protocols that have been, and still are, used in computer network
systems, but we shall only concentrate on IP in this document. Note that the principles of
networking still apply in most cases - only the specifics actually change with the network.
Once a driver has been installed (so that the PC can communicate with the network
interface) a protocol is loaded to allow pieces of data (known as packets) to be sent and
received across the network to and from other systems. In this case the protocol is IP,
and normally TCP/IP.
IP Networking
Page 6
IP networking
What are IP and TCP/IP?
IP (Internet Protocol) is the standard (or protocol) by which independent remote nodes
communicate with each other across the Internet - it is the foundation upon which the
entire Internet is built, and without it there would be no Internet as we know it today. IP is
in effect a common language by which networked computers can communicate with
one another.
There are, of course, other network protocols that have been specifically designed for a
number of other purposes, but these are typically found only in closed private networks
that do not communicate with other external systems, and as such, are not relevant to
this discussion and so will not be covered. Although in general the same basic principles
of networking are adhered to in these types of networks, not everything will be the same
for non-IP based networks.
There are two additional standard protocols that control exactly how the data traversing
networks using the IP protocol is sent and received - these are known as UDP (User
Datagram Protocol) and TCP (Transmission Control Protocol), but there is no
requirement to know the specific details of either. As might be guessed from the name,
TCP offers a more control over the sending and receiving of data than UDP does
because it has some means of error checking built in to the specifications of the protocol
itself. A network that is using the TCP protocol to control the flow of data over an
underlying IP protocol is referred to as a TCP/IP network.
IP Networking
Page 7
duplication occurs each of your systems will then have a unique address by which it can
be identified.
As mentioned above, there are a number of addresses, or ranges of numbers, that have
been reserved for specific purposes. One of these very purposes is to allow private
networks to use the IP networking system, as it is considered reliable and has a number
of features that make it a useful protocol to implement. The least of these is perhaps the
relative ease that private IP-based networks can be subsequently connected to other IPbased networks such as the Internet. Hence there are certain ranges of addresses that
should only be used as part of a private network. These are listed below, with a brief
description.
10.X.Y.Z
172.16.X.Y to where X and Y is each in the range 0-255. This is the series of
Class B private 172.31.X.Y network ranges, which each allow over
65,000 different addresses to be assigned.
192.168.X.Y where X and Y is each in the range 0-255. These are a range of
256 (0-255, as determined by the value of X) Class C private
network addresses, which each allow over 250 different
addresses.
For smaller private networks it is conventional to use addresses in the 192.168.X.Y
ranges, and unless there is a need to service larger networks this is a sensible
convention to adhere to.
Now that there exists a means of allocating individual IP addresses to systems on your
private network all that remains to do is to begin the process of giving your systems
unique addresses.
There are some features of the standard IP protocol that mean that an IP-based network
cannot use the entire range of the address space. There are a variety of methods that
can be used to either sub-divide IP networks into smaller, more manageable, chunks, or
to combine a number of smaller networks that use different addresses into a larger,
extended network. These methods take up a small number of addresses in their
implementation - the price to be paid for using a very flexible networking protocol.
It is perhaps easiest to understand some of the terms used by means of examples, and
a variety of sample network layouts including these details are discussed in section
Example IP networks below.
Connecting IP networks
In order that a number of networks can be connected together to allow data to pass from
one to another there needs to be a means to allow the connection of networks with
different addresses. The way this is achieved is to use a system known as a gateway,
which is simply the term for the point of connection between different networks.
By means of devices known as routers, data sent from one network for a system within
another network can be seamlessly passed from one network to another. Each router
contains a series of rules that relate to the addresses of known networked systems, and
each piece (or packet) of data that passes through them is checked against this ruleset
IP Networking
Page 8
and sent, or routed, appropriately. A gateway and a router perform similar functions, with
a router usually having a more complex set of rules to contend with.
Each router or gateway is configured with a set of rules that determine where network
data, or traffic, is to be sent. Note that it is not necessary for each individual router or
gateway to know about the existence of every other network in the world, but rather just
the local ones that it manages network traffic for. Instead, upstream of the router there
will be a system that has been designated in the routers ruleset as possessing more
information about remote networks. The initial route that is taken for any traffic
designated for an unknown remote network destination is for it to be passed upstream to
the next router. In turn, this upstream router will have information about where to forward
the packet of data, whether that is to a known network local to itself, or to pass it on
again to its upstream router. Since each and every packet of IP traffic contains
information about where it originated from, and where it is being sent to, in addition to
the message data itself, packets can easily be routed across a number of different
networks to reach their final destination. In addition, using the TCP protocol means that
packets need not necessarily be received in the same order that they were sent, so if a
problem in routing the network traffic occurs, an alternative route can be used instead
and the data reassembled at the final destination into the correct order of transmission.
It is evident that such a network system is not only robust and very able to deal with any
failures or other issues on a temporary basis, yet still allows a great degree of flexibility.
These are features that have made IP networks the primary choice for most
Network addresses
In order that a network can be found it is assigned what is called the network address. It
is fairly common practise for the gateway into a network to be the next highest numerical
IP address from the network address, but this is by no means necessary. Beyond that,
the highest numerical IP address is reserved for the broadcast address of the network,
and everything else in between is left up to you to assign to your individual systems.
Most network administrators, particularly those in charge of large networks, have a set of
rules by which they assign IP addresses, and perhaps the most common of these is to
reserve a number of addresses at the lower end of the range for use by servers, and for
workstations to use the higher end of the address range, although this is merely
convention.
There is a process known as subnetting a network that allows you to split a range of
addresses into a series of sub-networks for a variety of reasons. In order to do this, there
is a mechanism that prevents traffic from one sub-network from reaching another, unless
it passes through a specific router or gateway, and this is called the network mask, or
netmask. If you have a reason for subnetting your network then you should already know
about netmasks and how they operate, and since a discussion of such is beyond the
intended scope of this document, readers who are interested in pursuing this further
should consult the list of further reading at the end of this document.
IP Networking
Page 9
IP Networking
Page 10
The vast majority of firewalls, SmoothWall included, are of the second school of design.
These two types of firewall design are like the security guard that either allows you
access to the guarded building unless you are on a list of undesirables, or prevents you
from entering unless you are already on a list of acceptable people. It is obvious to see
that the second school of design is inherently more secure.
Example IP networks
To illustrate and clarify the points discussed above it is perhaps useful to discuss a small
number of example networks. To begin with we shall look at a very simple network, and
then move towards slightly more complex situations.
The first example shows a simple closed network of four PCs using one of the private
ranges of IP address  the 192.168.1.X network. Each PC has a unique name and IP
address, and since all addresses are within the same network address range each PC is
visible across the network from each other.
In this environment, with no gateway machine, the network address would be
192.168.1.0, and the broadcast address 192.168.1.255. The basic netmask would be
255.255.255.0.
The hosts table for each PC on this network would look something like this:
Fred
Barney
Wilma
Betty
192.168.1.10
192.168.1.20
192.168.1.30
192.168.1.40
Extending the complexity of this network environment a little, by adding a bridge with two
IP addresses, it becomes possible to join this network to a second private network that
uses a different range of IP addresses  in this case, the 192.168.2.X network range.
Hence the details of the two networks are as follows:
Network Address
Broadcast Address
Gateway Address
Netmask
Network A(192.168.1.X)
192.168.1.0
192.168.1.255
192.168.1.1
255.255.255.0
Network B (192.168.2.X)
192.168.2.0
192.168.2.255
192.168.2.1
255.255.255.0
IP Networking
Page 11
The hosts file on each system would look something like this:
Bedrock
Fred
Barney
Wilma
Betty
Looney
Bugs
Daffy
Elmer
Porky
192.168.1.1
192.168.1.10
192.168.1.20
192.168.1.30
192.168.1.40
192.168.2.1
192.168.2.10
192.168.2.20
192.168.2.30
192.168.2.40
The third example network involves the connection of a private network to the Internet
through a gateway system, using an IP address on the Internet-facing side of the
gateway that has been supplied by an ISP.
IP Networking
Page 12
In this case the network details will be as follows  a network address of 192.168.1.0, a
broadcast address of 192.168.1.255, a netmask of 255.255.255.0, and a gateway
address of 192.168.1.1. The gateway will be configured to pass data packets from the
192.168.1.0 network to the network relating to the address allocated by the ISP.
In this example, the gateway system could be a router, a simple gateway, or a firewall,
but the most likely case is a system that is part of each  a firewalled gateway system
that protects the private network behind it from the Internet outside.
The hosts table for this network would be similar to that of the first example, with the
addition of the following two entries:
Bedrock-int
Bedrock-ext
192.168.1.1
ISP assigned address
IP Networking
Page 13
necessary. The hosts file is stored in a specific location on each PC so that the system
can refer to it when it becomes necessary to translate a name to its numeric address.
On a PC running Microsoft Windows 95/8 the file is simply called hosts and can be found
in the Windows directory, normally found at C:\Windows. On Windows NT or 2000, the
hosts file can instead be found in C:\WinNT\System32\drivers\etc directory (or the
equivalent, if you have Windows installed in a different location). On a Unix-based
system the file can be found at /etc/hosts, and on a Macintosh system the hosts file can
normally be found in System Folder/Preferences.
So that any new systems on the network can be found by each of the existing nodes the
hosts file on each computer has to remain identical and in sync with each other. As the
size and complexity of the network grows, maintaining a hosts file for each and every
system on the network becomes a time-consuming and increasingly error-prone task.
Fortunately, though, there is a way around this. By maintaining a single central file that
all other systems can refer to, any new additions to the network can be accounted for in
a single place and you can be assured that any changes or updates to this file will then
be available across the network so that each node becomes aware of the most current
and up to date network configuration. In order to centralise all the information about your
network you will need to operate a DNS (domain name service) server, which serves the
purpose of an address book for the network. Again, the scope of this document is not
intended to cover the setup and maintenance of a DNS system, but interested readers
should look at the section on Further Reading at the end of this document.
A DNS server is considered to be the definitive (and authoritative) source of knowledge
for the network that it contains information about. When a host system on the network
wishes to find another nodes IP address so that it can send data to it, it will issue a DNS
query to the local DNS server. The DNS server then looks up the information and returns
the IP address in question to the original host, which can then use this information to
connect to the relevant service on the network. When asked by a host system for
information about systems on other networks that the DNS server has no definitive
source for, the DNS server itself will request this information from a more knowledgeable
source that resides upstream from it. This occurs in a similar fashion to routers that
forward network packets for remote systems to other upstream routers that are external
to the local network to handle. As such, a hierarchical tree-like structure is built up, with
individual servers not always having the necessary information immediately to hand, but
knowing where to ask to find out.
IP Networking
Page 14
unique name and the address that has been leased in a similar manner to that which a
DNS server allocates addresses. Note that the addresses recorded by a DNS system do
not change without manual intervention and are commonly referred to as static IP
addresses, but those allocated by a DHCP server can easily be different from one hour
to the next, depending on the length of time that the lease is valid for, and hence are
referred to as dynamic IP addresses.
Ports
Data is passed from the originating system to the destination system by the most
appropriate route, depending on the IP address that is contained within the structure of
the packet itself. However, once the packet has arrived at the correct destination, how is
the data contained within that packet transmitted to the correct application running on the
destination system? The answer to this lies in the use of something known as ports.
Each network application or service has its own port that it uses for communication. If
the IP address can be thought of as the postal address of a block of flats, the port is the
correct front door to use for deliveries for a specific flat within that block.
When a network service starts up on a server it attaches (or binds) itself to a specific port
and then listens out on the network for any incoming requests for that particular
service. Ports number from 0 to 65535, with the first 1024 (0-1023) being reserved (or
restricted) for use by particular services. Ports with a number above 1023 are termed
unrestricted (or unprivileged) ports.
IP Networking
Page 15
In the same way that IP network packets contain information about the source and
destination IP address, they also contain information about the source and destination
port. The source (or local) port is frequently just an unused unprivileged port on the
system that the packet originated from - an unprivileged port is used to ensure that there
are no conflicts with any services that may be running on this system. The destination
port is the port that the data is aiming for when it connects to the relevant service on the
destination system.
When the remote system receives the data packet it confirms receipt by simply swapping
the source and destination IP address and port numbers, so that the destination port of
this new packet is the same as the local port on the initial originating system.
In the event that several simultaneous connections to the same service are initiated by
the same local system, the differences in the local source port numbers enables the
correct data to be passed back from the destination service. The reversal of port
numbers ensures that the combination of both source and destination ports remains
uniquely identifiable.
Since a specific service runs on a known port it therefore become possible to connect a
dummy port forwarding service to a given port, and then redirect the traffic that is sent
to that address and port combination to an alternative address/port combination. It is
also possible to run an alternative service and then redirect network traffic as appropriate
- such a system is known either as a proxy or port forwarder, depending on exactly what
happens to the traffic. By seamlessly redirecting traffic from one address/port to
another it is possible to not only centralise services, but also to provide additional
security.
command switch - ping -t <destination address> - this will generate ping packets until
stopped by pressing Ctrl-C.
If the network connection of the destination system is operating successfully you will get
a series of packets sent back, but if you get an error message then you have determined
that there is a genuine fault with the network.
If the connection is dead the next thing to do is to find the cause of the problem and fix it.
The next tool to use in this investigation is traceroute - a tool that maps out the path
taken from the local PC to the remote system.
On a Windows 95/98 PC the command to use is tracert <destination address>; on
Windows NT/2000 and on Unix-based systems the command syntax is traceroute
<destination address>.
This command will illustrate the route taken as a series of hops from one network system
to another in an attempt to reach the requested destination. Note that if you have
difficulties with name resolution you may wish to use the numeric IP addresses rather
than resolving the names. In this case use the -n command line switch on a Unix system,
A good next step is to try these same tests from a different network location in case the
problem is localised to a single section of the network.
The most common problem to encounter is a physical one - a cable with a loose end
may have dropped out of a network card or hub, a cable may have been stepped on or
constricted in some way that prevents the flow of data, or a network card or connector
may have pulled loose from a laptop computer. All of these problems, while often time
consuming to track down the precise location, are straightforward to fix.
More esoteric problems occur with decreasing frequency - experience suggests that the
vast majority of networking problems occurring in a small to medium network result from
a cable or network card failure. Keeping a spare network card available that has been
previously tested, and known to be good, to swap for a suspect card is a good practice
to get into the habit of. If you can standardise on the type of network cards used across
your network then you will be able to swap out a suspect card with great ease, as the
necessary network card drivers will already be in place.
The command telnet <destination address> <port> will attempt to connect to the service
on the specified port. If you obtain a response of some form the chances are the service
is running successfully, but if not, the problem is likely to lie on the server itself.
These suggestions and guidelines above should assist in troubleshooting the majority of
networking problems. If in doubt, especially on Windows systems where the networking
code is known to be occasionally quite unstable, there are few additional problems to be
caused in rebooting the system. Be sure to try and shut down the system cleanly first,
rather than just pressing the reset switch, but 4 times out of 5 if there is an obscure
networking problem a reboot will miraculously fix it.
Further Reading
Page 20
Further Reading
As the scope of this document is to prove both a basic understanding into the area of
TCP/IP networking and some advice on troubleshooting such a network when problems
occur, there is much in the way of advanced topics that have not been covered. For
those readers who wish to discover more about the subjects of networking and network
services, the following list will provide some useful starting points.
Finally
Searching the web with a search engine such as Google, found at
http://www.google.com/ will turn up a lot of information  one thing the web has plenty of
is information about the way the Internet works.