application-level firewall. The brief description of each fire-
wall type will be described in the following section.
3.1.1
Packet-Filtering Firewall
Packet-filtering firewalls allow or block packets based on
some or all of these four fields: the source IP address, the
destionation IP address, the TCP/UDP source port and the
TCP/UDP destination port[24]. To transfer data across a
network, the data must be divided into small pieces called
packets. A packet, which is the fundamental unit of data
transfer on the Internet, contains only a few hundred bytes
of data. In TCP/IP model, an IP (Internet Protocol) packet
consists of two parts: the IP header and the IP body. Two
important pieces of information, the IP source address and
destination address, are contained in the IP header. At
TCP layer, a TCP packet is contained in the body of an
IP packet. The TCP packet is made up of the TCP header
and the TCP body. The source port and destination port
are stored in the TCP header. The body of an IP packet
might contain a UDP packet. A UDP packet also contains
a UDP header and a UDP body. The UDP source port and
destination port are stored in the UDP header. Packet-
filtering firewall operates at OSI network layer.
Figure 2 shows a sample packet-filtering rule that allows
incoming and outgoing SMTP (Simple Mail Transfer Pro-
tocol) connections so that email can be delivered. Rule 1
allows an external host to send a request to port 25 on a
server inside the protected network. Rule 2 would allow
that server on the protected network to reply to the exter-
nal host. Rule 3 and 4 allow the SMTP connection in the
reverse direction, where the SMTP server on the protected
network wants to establish a connection to port 25 on an
SMTP server on the external network. Rule 5 disallows any
other connections.
The advantage of the packet-filtering firewall is that it
is simple and easy to implement as all filtering rules can
be configured in a network router. The disadvantage is
packet filters make decision only based on packet header
information, not on the payload session of the packet. Once
the packet filter fails, the whole protected internal network
will be transparent to attackers.
TCP
TCP
Pro−
tocol
>=1024
>=1024
>=1024
Port
Source
Port
Dest.
*
Permit
Permit
Deny
Permit
TCP
1
5
4
3
2
Rule
*
In
Out
Out
In
Out
In /
*
TCP
Permit
Address
Source
Dest.
External
Action
25
25
25
25
>=1024
Internal
*
Internal
Address
*
*
External
Internal
Internal
External
External