the internal network, except for incoming SMTP
connections (so that you can receive email).
TFTP, the X Window System, RPC, and the "r" services (rlogin, rsh,
To understand how packet filtering works, let's look at the difference
between an ordinary router and a screening router.
An ordinary router simply looks at the destination address of each
packet and picks the best way it knows to send that packet towards that
destination. The decision about how to handle the packet is based
solely on its destination. There are two possibilities: the
router knows how to send the packet towards its destination, and it
does so; or the router does not know how to send the packet towards its
destination, and it returns the packet, via an ICMP "destination
unreachable" message, to its source.
A screening router, on the other hand, looks at packets more
closely. In addition to determining whether or not it can
route a packet towards its destination, a screening router also
determines whether or not it should. "Should" or "should not"
are determined by the site's security policy, which the screening
router has been configured to enforce.
Although it is possible for only a screening router to sit between
an internal network and the Internet, as shown in the diagram above,
this places an enormous responsibility on the screening router. Not
only does it need to perform all routing and routing decision-making,
but it is the only protecting system; if its security fails (or
crumbles under attack), the internal network is exposed. Furthermore, a
straightforward screening router can't modify services. A screening
router can permit or deny a service, but it can't protect individual
operations within a service. If a desirable service has insecure
operations, or if the service is normally provided with an insecure
server, packet filtering alone can't protect it.
A number of other architectures have evolved to provide additional
security in packet filtering firewall implementations. Later in this
chapter, we show the way that additional routers, bastion hosts, and
perimeter networks may be added to the firewall implementations in the
screened host and screened subnet architectures.