Packet Filtering

Notes:

Routers are intrinsically permissive, they are concerned with how to forward packets from one network to another based on the destination IP address and internal routing tables. Screening routers perform the same task but can also consider whether packets should be routed based on information held in a filter table.
The TCP/IP protocols pass data down the network stack, each layer is prefixes the data with a header relevant to protocol. Packet filters read this header information and make a decision whether to pass or reject the packet based on rules programmed in the system. Packet filtering can protect the entire network irrespective of host configuration and is relatively transparent to users. However it is usually used in conjunction with other techniques to provide a secure solution.
An example is testing the TCP ACKnowledgment flag.. TCP is a connection oriented protocol, incoming packets with the ACK flag set should be responses to a connection initiated by an internal host and should be passed. The TCP layer itself will reject packets that don’t have correct sequence numbers. However sequence numbers can be predicted and the ACK flag, and any other data can be spoofed.
UDP and ICMP are datagram based protocols, they are harder to filter effectively and are often blocked entirely.
Filtering is available in both hardware and software solutions, e.g.: Cisco routers or Checkpoint’s Firewall-1.