I read on this page that in TCP ACK bit filtering, only packets with the ACK bit set are allowed into a network, so that the firewall knows that those packets were requested by users within that network.
Okay, so I know that the ACK bit is set for TCP acknowledgement packets. But what else is it used for? What if users on the local intranet are requesting web pages? Will the ACK bit be set for the HTTP responses that contain the web pages requested by the users of the network? They would have to, or else the packets would be dropped by the firewall.
But HTTP and TCP work at completely different layers, so it doesn't make sense that TCP would be able to set the ACK flag for HTTP. I mean, how would it know that the packets are HTTP responses? But that's the only way I can think of that users on the local network would be able to use web services outside the network, because otherwise, the only thing the firewall would let into the network would be TCP acknowledgement packets, which are basically useless to the end user.
Can someone help me understand this? I'm very confused.
EDIT: I think my confusion stemmed from a misunderstanding of how TCP works. I thought that a separate TCP session was maintained for each message sent from one host to another, i.e. one TCP session for the HTTP request and another TCP session for the HTTP response. If this were the case, the ACK flag would not be set for the HTTP response packets, and they would be dropped. In fact, basically no useful application layer communication would be allowed into the network if this were the case. Thanks to this article, I now understand that a single connection is maintained for the entire session, including the request and the response.
Best Answer
While ACK packets may not contain any useful data, the packets themselves are extremely useful. The ACK packet tells the other side of the connection "I received the data you sent and I'm ready for more." If the ACK is not received due to packet loss, a firewall blocking it, or any other reason, the connection sender of the ACK will keep resending that same ACK until the other side sends more data.
Now let's take a step back and discuss the Web server scenario you mentioned.
After the three way handshake completes the client will sends a request for a page. This would contain "useful" data because it tells the server what page the client wants. The server then sends an ACK to let the client know the request has been received. The server then sends back data packets which contain the requested page. The client then sends an ACK or ACKs to let the server know it has received all of the data which was sent.
Note that all of the above took place on a single TCP connection. In other words, both parties can send and receive data over the one connection, they do not need one each.
Finally, just an FYI, blocking traffic based on a TCP flag for security purposes is almost as weak as blocking on port numbers. The reason being that malicious users can craft packets any which way they like so sending all packets with the ACK bit set is no trouble at all. If you're interested in reading more about this take a look at Scapy.