A packet filter, also known as a network filter, is an application or software that filters incoming and outgoing traffic on a computer network. This is usually to protect the network from attackers. Just as important as protection against external attackers is protection against unintentionally outgoing packets; This can make it more difficult, for example, for one’s own computer to spread viruses on the Internet unintentionally and unnoticed. A packet filter can be part of a firewall.
Packet filters are used to implement the concept of a firewall. On routers, they are used to implement so-called ingress filters. Such filters prevent data packets from being sent to or from a network that contain invalid sender or destination addresses. For example, if only the network 10.1.1.0/24 is connected to a router interface, and a data packet with the sender address 172.16.1.42 comes from this network, the router should discard the packet. There is either a configuration error or an attacker is trying to spoof his sender address. Multicast and broadcast sender addresses can also be filtered in this way. As an alternative to packet filtering, Unicast Reverse Path Forwarding is an alternative option.
How it Works
The data is packaged in a network by the sending host in data packets and sent. Every packet that tries to pass through the packet filter is examined. Based on the data contained in each packet, such as the sender and recipient addresses, the packet filter decides what to do with that packet based on filtering rules. An inadmissible packet that is not allowed to pass through the filter is either discarded (called DENY or DROP in technical jargon), the sender is informed about the discard by means of an ICMP message with the remark that access was inadmissible (REJECT), or forwarded (FORWARD or PERMIT) or allowed through (ALLOW or PASS).
---
A packet filter is called “stateful” if it automatically generates a rule for an outgoing packet that accepts the response to that packet in a certain time window (in the range of minutes). If the answer does not come or if the time is exceeded, the rule expires. In principle, such filters can also handle protocols that work on two ports, for example FTP.
The packet filter is responsible for tasks such as comparing the source or destination address of the packets that pass through the firewall and must perform certain filtering or regulation of data traffic. If you think of the Internet as a gigantic collection of houses, then the IP addresses represent the house numbers, so to speak. Under a specific IP address, you can communicate directly with a computer.
The individual “floors” of these computers (marked with a number, which is also called a port) are now home to the various services such as HTTP, FTP or SSH. A packet filter can block various ports for visitors from the Internet, meaning that any connection from the Internet is rejected at the front door. By configuring a firewall accordingly, a computer network can be protected from attacks or access.
A packet filter defines rules that determine whether individual or contiguous packets are allowed to pass through the access protection system or are blocked. For example, such a rule would be: Discard all packets coming from the IP address 1.2.3.4. However, since attackers can come from arbitrary IP addresses, it is more feasible to go the opposite way and only allow packets coming from specific IP addresses to pass through.
In principle, however, this is not really a safe way, as a culprit can forge the house number without major technical problems. Secure communication, e.g. between company networks, is only possible if protocols are used that authenticate and authorize the users or systems involved.
Tagged With Packet filtering firewalls