Role-playing game pt. 2: help Santa set up firewalls

Intro

We did a role-play game  last month at CoderDojo Bruges (see the previous blogpost). The game lets children explore how Saint Nicholas could send packets through the internet. Introducing concepts such as browser, DNS, IP address, router, web server, and HTTP verbs.

This month we did a short follow-up activity, focusing on what could go wrong. With a little twist: instead of Saint Nicholas, it was about Santa Claus. 🎅✨

Here’s a general outline of our session:

- Coach: What does your computer do when it receives a response from a web server?
---- Kid: It shows it in my browser?

- Coach: But how does it know in which tab or browser window to show it, if you have multiple opened?
---- Kid: Uhmm…

- Coach: It does so by using ports. We already learned that IP packets contain IP addresses. But they also contain ports. The combination of an IP address and a port number is called a socket. And usually, it’s written separated by a colon, e.g., 122.232.12.32:52281.

Ports
Ports are everywhere throughout online applications

Introducing firewalls and ACLs

From here on, there followed a monologue introducing a few necessary concepts:

The reason I introduce you to this is that understanding this helps you to make the internet safer. Packets are arriving at our computer all the time. Usually, with good intentions, but some also with bad intentions.

How do we know which ones we can trust? Well, it’s hard to know.

If we know about bad people, we can block their IP addresses. If someone sends us too many packets, we can do the same. And now that we know about ports, we can close all those on which we don’t want to receive messages.

Allowing or denying packets to enter our network is done with a firewall. All it takes is to write down the rules in its Access Control List.

ACL
ACL: Access Control List

Challenge: protect Santa from the villain

Challenge
The challenge

And we finished with a challenge that we solved together:

Let’s help protect Santa Claus with our knowledge about ports, sockets, firewalls, and Access Control Lists.

  • Santa should be able to receive requests from you and all the other children of the world. But not from the villain.
  • You only want to receive packets from Santa. But not from the villain who wants to overwhelm you with empty packets so that Santa wouldn’t be able to reach you. (a Denial Of Service-attack)
  • Your IP is 122.132.123.12, Santa’s IP is 155.13.12.6, the villain’s IP is 143.28.12.24. Santa’s web server only listens to ports 80 and 443.
ACL of your network
ACL of your network

On our firewall, we’ll DENY all inbound packages. We’ll make an exception to that rule for packages from Santa that are intended for us.

ACL of santa
ACL of Santa

On Santa’s firewall, we’ll also DENY all inbound packets. We’ll make an exception to ALLOW all packets intended for Santa on ports 80 and 443. But we’ll make an exception again and DENY all packets coming from the villain.

Ta Dumm, we made the internet a bit safer again for Santa and for us. Thanks, firewalls!