previous |
start |
next
Packet Filtering Firewalls
These only permit selected traffic to pass
between the "inside" and "outside" networks.
The decision to forward a packet or to discard it is made by
looking deep into its contents, usually at either the IP source or
destination address. The TCP or UDP port numbers in the packet can
also be used.
TCP (and UDP) level filtering is more complex. and requires the
firewall router to keep much more "state" information. For example,
a particular site may allow outgoing TCP
connections for some services (ie, port numbers), but prohibit most
incoming TCP connections. This can be achieved by
examining the ACK bit in the TCP header: it is cleared in the first
connection request segment, and is set in all subsequent segments.
Needless to say, this is a very CPU-intensive operation, because
the router must keep track of IP addresses and port numbers of
every current, valid, TCP connection.
For example, the La Trobe University "gateway" router is
configured to block outgoing port 80 (HTTP) connections, thus
forcing Web users within the University to use the caching proxy server. At Nilai College, where this unit
is also offered, only outgoing HTTP (port 80) connections are
permitted and all other services are blocked at the gateway router.
previous |
start |
next