Filter
Top Products
̈ Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50
109
Firewall
Packet filters
One speaks about a packet filter-based Firewall, if the router only checks the
details in the header of the data packets and decides on the basis of this infor-
mation, whether the packet may pass or not. The following details belong to
the analyzed information:
̈ IP address of source and destination
̈ Transfer protocol (TCP, UDP or ICMP)
̈ Port numbers of source and destination
̈ MAC address
The rules defined in a packet filter-orientated Firewall determine e.g., whether
the packets may pass on by a special IP address range into the local network,
or whether packets should be filtered for special services (i.e. with special port
numbers). By these measures, the communication with certain workstations,
entire networks or via special services can be reduced or even prevented.
Besides, the rules are combinable, so that e.g. only workstations with special
IP addresses get access to the Internet via the TCP port 80, while this services
remains blocked for all other workstations.
The configuration of packet filtering Firewalls is quite simple, and the list with
the permitted or forbidden packets can be extended very easily. Because also
the performance requirements of a packet filter can be address with quite little
means, the packet filters are often directly implemented in routers, which
operate as interface between the networks anyway.
An unfavourable effect on the packet filters is, that the list of rules becomes
uncomfortable after a while. Besides, for some services the connection ports
are negotiated dynamically. To enable communication then, the administrator
has to leave open all possibly used ports, which is contrary to the basic orien-
tation of most security concepts.
One example for a process, which is quite problematical for simple packet fil-
ters, is the establishing of a FTP connection from a workstation of the own
LAN to a FTP server in the Internet. By the generally used active FTP, the client
(of the protected LAN) sends an inquiry from a port of the upper range
(>1023) to port 21 of the server. The client informs the server, over which port