These only permit selected traffic to pass
between the "inside" and "outside" networks.
The decision to forward a packet or to discard it is made by
looking into its protocol headers, usually at either the IP source
or destination address. The TCP or UDP port numbers in the packet
can also be used.
TCP (and UDP) level filtering is more complex. and requires the
firewall router to keep much more "state" information. For example,
a particular site may allow outgoing TCP
connections for some services (ie, port numbers), but prohibit most
incoming TCP connections. This can be achieved by
examining the ACK bit in the TCP header: it is cleared in the first
connection request segment, and is set in all subsequent
segments.
For example, the La Trobe University "gateway" router is
configured to block outgoing port 80 (HTTP) connections, thus
forcing Web users within the University to use the caching proxy server. At Nilai College, where this unit
is also offered, outgoing HTTP (port 80) connections are permitted
and most other services are blocked at the gateway router.