Firewall pinhole
Encyclopedia
In computer networking, the term firewall pinhole is used to describe a port
that is opened through a firewall to allow a particular application
to gain controlled access to the protected network.
Leaving open gaps in a firewall exposes the protected system to malicious abuse. Obviously, a fully closed firewall would prevent applications from accessing information on the other side of the firewall. Thus, it is necessary to carefully open holes in firewalls that are very small and restricted (hence the term pinhole). For best protection, the mechanism for opening the pinhole in the firewall must implement some form of validation and security that will protect the system behind the firewall.
For firewalls performing a network address translation
(NAT) function, the mapping between the {external address, external port} tuple
and the {internal address, internal port} tuple is often called a pinhole.
Pinholes can be created manually or programmatically. They can be temporary (created dynamically for a specific duration such as for a dynamic connection) or permanent (such as for signalling functions).
Firewalls sometimes automatically close pinholes after a period of time (typically a few minutes) to minimize the security exposure. Applications that require a pinhole to be kept open often need to generate artificial traffic through the pinhole in order to cause the firewall to restart its timer.
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
that is opened through a firewall to allow a particular application
Application software
Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
to gain controlled access to the protected network.
Leaving open gaps in a firewall exposes the protected system to malicious abuse. Obviously, a fully closed firewall would prevent applications from accessing information on the other side of the firewall. Thus, it is necessary to carefully open holes in firewalls that are very small and restricted (hence the term pinhole). For best protection, the mechanism for opening the pinhole in the firewall must implement some form of validation and security that will protect the system behind the firewall.
For firewalls performing a network address translation
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
(NAT) function, the mapping between the {external address, external port} tuple
Tuple
In mathematics and computer science, a tuple is an ordered list of elements. In set theory, an n-tuple is a sequence of n elements, where n is a positive integer. There is also one 0-tuple, an empty sequence. An n-tuple is defined inductively using the construction of an ordered pair...
and the {internal address, internal port} tuple is often called a pinhole.
Pinholes can be created manually or programmatically. They can be temporary (created dynamically for a specific duration such as for a dynamic connection) or permanent (such as for signalling functions).
Firewalls sometimes automatically close pinholes after a period of time (typically a few minutes) to minimize the security exposure. Applications that require a pinhole to be kept open often need to generate artificial traffic through the pinhole in order to cause the firewall to restart its timer.