Firewall pinhole

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer networking, the term firewall pinhole is used to describe a port that is opened through a firewall to allow a particular application to gain controlled access to the protected network.

Leaving open gaps in a firewall exposes the protected system to malicious abuse. Obviously, a fully closed firewall would prevent applications from accessing information on the other side of the firewall. Thus, it is necessary to carefully open holes in firewalls that are very small and restricted (hence the term pinhole). For best protection, the mechanism for opening the pinhole in the firewall must implement some form of validation and security that will protect the system behind the firewall.

For firewalls performing a network address translation (NAT) function, the mapping between the {external address, external port} tuple and the {internal address, internal port} tuple is often called a pinhole.

Pinholes can be created manually or programmatically. They can be temporary (created dynamically for a specific duration such as for a dynamic connection) or permanent (such as for signalling functions).

Firewalls sometimes automatically close pinholes after a period of time (typically a few minutes) to minimize the security exposure. Applications that require a pinhole to be kept open often need to generate artificial traffic through the pinhole in order to cause the firewall to restart its timer.

See also[edit]