The very nature of the connectionless Network Layer routing process—making forwarding decisions based on information found in the datagram header—lends itself to the provision of other services based on that same information. One of these is security, and a router that makes forward/don’t forward decisions based on header information is said to be packet filtering.
At its simplest, a packet filter can examine a datagram’s destination Network Layer address, compare it with a list, and either forward or filter the datagram depending on the instructions for that entry. If there is no instruction about how to treat a particular datagram, there can be default instructions that will determine what the packet filter should do in all other cases.
At the next level of complexity, a packet filter might make more complex decisions, such as those involving multiple criteria in each decision. For example in order to be allowed to traverse a particular network, a datagram must specify a particular source Network Layer address and be destined for another particular address.
Finally, many packet filters have the ability to filter based on Transport Layer information, such as TCP or UDP port number, thus limiting packet traffic to only that to or from certain applications. Filtering based on transport has the ability to significantly enhance security; in fact, packet filtering of this type is one of the mainstay techniques of most Internet firewall software.