previous | start | next

Packet Filtering Firewalls

These only permit selected traffic to pass between the "inside" and "outside" networks.
 
The decision to forward a packet or to discard it is made by looking deep into its contents, usually at either the IP source or destination address. The TCP or UDP port numbers in the packet can also be used.
 
TCP (and UDP) level filtering is more complex. and requires the firewall router to keep much more "state" information. For example, a particular site may allow outgoing TCP connections for some services (ie, port numbers), but prohibit most incoming TCP connections. This can be achieved by examining the ACK bit in the TCP header: it is cleared in the first connection request segment, and is set in all subsequent segments. Needless to say, this is a very CPU-intensive operation, because the router must keep track of IP addresses and port numbers of every current, valid, TCP connection.
 
For example, the La Trobe University "gateway" router is configured to block outgoing port 80 (HTTP) connections, thus forcing Web users within the University to use the caching proxy server. At Nilai College, where this unit is also offered, only outgoing HTTP (port 80) connections are permitted and all other services are blocked at the gateway router.
 


previous | start | next