Filter
Top Products
Packet Filters 8-5
Input filters vs. Output filters
You can assign two packet filters to each interface: an input filter
and an output filter. Input filters control which packets are
allowed into the NETServer through the interface. Output filters
control what packets are allowed out of the NETServer.
When possible, use the input filter to filter out an incoming
packet rather than waiting to catch a packet on its way out of the
NETServer. There are several good reasons for this.
• Preventing a packet from entering the NETServer can keep
potential intruders from attacking the NETServer itself.
• The NETServer’s routing engine does not waste time
processing a packet that is going to be discarded anyway.
• Most importantly, the NETServer does not know which
interface an outgoing packet came in through. If a potential
intruder forges a packet with a false source address (in order
to appear as a trusted host or network), there is no way for
an output filter to tell if that packet came in through the
wrong interface. An input filter, on the other hand, can filter
out packets purporting to be from networks that are actually
connected to a different interface.