Firewall pinhole

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer networking, the term firewall pinhole identifies a port that is opened through a firewall to allow a particular application to gain controlled access to the protected network.

Leaving open gaps in a firewall exposes the protected system to malicious abuse. Obviously, a fully closed firewall would prevent applications from accessing information on the other side of the firewall. Thus it is necessary to carefully open "holes" in firewalls - very small and restricted holes (hence the term pinhole). For best protection, the mechanism for opening the pinhole in the firewall must implement some form of validation and security that will protect the system behind the firewall.

For firewalls performing a network address translation (NAT) function, the mapping between the {external address, external port} tuple and the {internal address, internal port} tuple is often called a pinhole.

Pinholes can be created manually or programmatically. They can be temporary (created dynamically for a specific duration such as for a dynamic connection) or permanent (such as for signalling functions).

Firewalls sometimes automatically close pinholes after a period of time (typically a few minutes) to minimize the security exposure. Applications that require a pinhole to be kept open often need to generate artificial traffic through the pinhole in order to cause the firewall to restart its timer.

See also[edit]