[Home]
[Edit this page]
[Recent Changes]
[Special Pages]
[Help]
Packet-filtering router
Packet-Filtering Routers
A packet-filtering router makes a permit/deny decision for each packet that it receives. The router examines each datagram to determine whether it matches one of its packet-filtering rules. The filtering rules are based on the packet header information that is made available to the IP forwarding process. This information consists of the IP source address, the IP destination address, the encapsulated protocol (TCP, UDP, ICMP, or IP Tunnel), the TCP/UDP source port, the TCP/UDP destination port, the ICMP message type, the incoming interface of the packet, and the outgoing interface of the packet. If a match is found and the rule permits the packet, the packet is forwarded according to the information in the routing table. If a match is found and the rule denies the packet, the packet is discarded. If there is no matching rule, a user-configurable default parameter determines whether the packet is forwarded or discarded.
Stateful Inspection Packet Filtering
Stateful Inspection Filtering is a more complex packet filtering technology that filters traffic on more than just source, destination, port number, and protocol type. Stateful Inspection keeps track of the state of the current connection to help assure that only desired traffic passes through. This allows the creation of one way rules (for example, inside to outside).
Packet-filtering routers yield a permit or deny decision for each packet that it receives. The router examines each IP datagram to determine whether it matches one of its packet-filtering rules. The filtering rules are based on packet header information that's made available to the IP forwarding process.
This information consists of:
If a match is found and the rule permits the exchange, the packet is forwarded using the information in the network routing table. If a match is found and the rule denies the packet, the packet is discarded. If there are no matching rules, a user-configurable default parameter determines whether the packet is forwarded or discarded.
Service-Dependent Filtering The packet-filtering rules allow a router to permit or deny traffic based on a specific service, since most service listeners reside on well-known TCP/UDP port numbers. For example, a Telnet server listens for remote connections on TCP port 23 and an SMTP server listens for incoming connections on TCP port 25. To block all incoming Telnet connections, the router simply discards all packets that contain a TCP destination port value equal to 23. To restrict incoming Telnet connections to a limited number of internal hosts, the router must deny all packets that contain a TCP destination port value equal to 23 and that do not contain the destination IP address of one of the permitted hosts. Some typical filtering rules include:
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
Packet-filtering router
Packet-Filtering Routers
A packet-filtering router makes a permit/deny decision for each packet that it receives. The router examines each datagram to determine whether it matches one of its packet-filtering rules. The filtering rules are based on the packet header information that is made available to the IP forwarding process. This information consists of the IP source address, the IP destination address, the encapsulated protocol (TCP, UDP, ICMP, or IP Tunnel), the TCP/UDP source port, the TCP/UDP destination port, the ICMP message type, the incoming interface of the packet, and the outgoing interface of the packet. If a match is found and the rule permits the packet, the packet is forwarded according to the information in the routing table. If a match is found and the rule denies the packet, the packet is discarded. If there is no matching rule, a user-configurable default parameter determines whether the packet is forwarded or discarded.
Stateful Inspection Packet Filtering
Stateful Inspection Filtering is a more complex packet filtering technology that filters traffic on more than just source, destination, port number, and protocol type. Stateful Inspection keeps track of the state of the current connection to help assure that only desired traffic passes through. This allows the creation of one way rules (for example, inside to outside).
Packet-filtering routers yield a permit or deny decision for each packet that it receives. The router examines each IP datagram to determine whether it matches one of its packet-filtering rules. The filtering rules are based on packet header information that's made available to the IP forwarding process.
This information consists of:
- IP source address
- IP destination address
- (TCP, UDP, ICMP, or VPNIP Tunnel)
- TCP/UDP source port
- TCP/UDP destination port
If a match is found and the rule permits the exchange, the packet is forwarded using the information in the network routing table. If a match is found and the rule denies the packet, the packet is discarded. If there are no matching rules, a user-configurable default parameter determines whether the packet is forwarded or discarded.
Service-Dependent Filtering The packet-filtering rules allow a router to permit or deny traffic based on a specific service, since most service listeners reside on well-known TCP/UDP port numbers. For example, a Telnet server listens for remote connections on TCP port 23 and an SMTP server listens for incoming connections on TCP port 25. To block all incoming Telnet connections, the router simply discards all packets that contain a TCP destination port value equal to 23. To restrict incoming Telnet connections to a limited number of internal hosts, the router must deny all packets that contain a TCP destination port value equal to 23 and that do not contain the destination IP address of one of the permitted hosts. Some typical filtering rules include:
- Permit incoming Telnet sessions only to a specific list of internal hosts
- Permit incoming FTP sessions only to specific internal hosts
- Permit all outbound Telnet sessions
- Permit all outbound FTP sessions
- Deny all incoming traffic from specific external networks
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
