The actual packet filter device can be software, hardware, or a combination of the two, but many packet filters are just extra software that runs on a router. The visual depicts only the “outbound” trusted client to untrusted server case, but the same process occurs when a client on the untrusted and insecure public network (i.e., the Internet) accesses a server at the corporate site.
In the visual, a client application needs to access the server at acme.com to accomplish some task. Typically, the client process would be a Web browser and the remote server a Web site. The higher layer data unit (TCP segment) is placed in an IP packet and the client IP Layer builds the IP header. The packet is placed in a frame and sent out the network port.
For the firewall to work, all outbound traffic must pass through the firewall device. The firewall device, which is usually also a router, not only looks at the destination IP address in the IP header, but it also applies a set of rules to the IP packet header. A network firewall administrator configures these rules ahead of time. The rules are applied consecutively and all packets are subject to a pass/fail decision. If the packet header passes all requirements, the packet is forwarded onto the public network. If a packet fails any rule test, it is discarded. An audit trail is maintained for future reference.
Packet filter rules vary. Rules apply to outbound and inbound traffic. A possible outbound rule is, “Allow no traffic sent to our competitor at the IP address for mega.widgets.com”; a typical inbound rule is, “Allow no inbound traffic from the IP address of hackers.r.us.”
In practice, packet filters operate on some fields of both the IP packet header and the “inner” TCP/UDP header (these concatenated fields form the TCP/IP “pseudo-header”). So, packet filters can screen out Telnet requests, for example, not just raw IP addresses.
While packet filters are fast and reliable, they require initial setup and ongoing administration.