Packet filter

from Wikipedia, the free encyclopedia
This article is not adequately provided with supporting documents (for example individual proofs ). Information without sufficient evidence could be removed soon. Please help Wikipedia by researching the information and including good evidence.
The article reflects special knowledge; it is also not obvious where this can be looked up => receipts required.

A packet filter , also known as a network filter , is an application or software that filters incoming and outgoing data traffic in a computer network. This usually serves to protect the network from attackers. Just as important as protection against external attackers is protection against unwanted outgoing packets; This can, for example, make it more difficult for one's own computer to unintentionally and unnoticed spread viruses on the Internet . A packet filter can be part of a firewall .

use

Packet filters are used to implement the concept of a firewall.

They are used on routers to implement so-called ingress filters . Such filters prevent data packets from being sent from or into a network that contain invalid sender or destination addresses. If, for example, only the 10.1.1.0/24 network is connected to a router interface and a data packet with the sender address 172.16.1.42 comes from this network, the router should discard the packet. There is either a configuration error or an attacker is trying to forge his sender address. Also Multicast - and broadcast senders, addresses can be filtered out. As an alternative to packet filters, unicast reverse path forwarding is an alternative option.

functionality

The sending host packs and sends the data in data packets in a network . Every packet that tries to pass the packet filter is examined. Based on the data in each packet, such as the sender and recipient address, the packet filter uses filter rules to decide what to do with this packet. An inadmissible packet that is not allowed to pass the filter is either discarded ( called DENY or DROP in technical jargon ), the sender informs about the discard by means of an ICMP message with the comment that the access was not allowed ( REJECT ), or forwarded ( FORWARD or PERMIT ) or let through ( ALLOW or PASS ).

A packet filter is called " stateful " if it automatically generates a rule for an outgoing packet that accepts the response to this packet within a certain time window (in the range of minutes). If the answer does not come or if the time is exceeded, the rule expires. In principle, such filters can also deal with protocols that work on two ports, for example FTP .

Packet filter example

The packet filter is responsible for tasks such as comparing the source or destination address of the packets that pass through the firewall and must therefore carry out certain filtering or regulation of the data traffic. If you think of the Internet as a gigantic collection of houses, then the IP addresses represent the house numbers, so to speak. You can communicate directly with a computer using a certain IP address.

The various services such as HTTP , FTP or SSH now reside in the individual "floors" of these computers (marked with a number, which is also called a port ) . A packet filter can block various ports for visitors from the Internet , i. In other words, every connection from the Internet is rejected at the front door. With the appropriate configuration of a firewall, a computer network can be protected from attacks or access.

A packet filter defines rules that determine whether individual or related packets are allowed to pass through the access protection system or whether they are blocked. Such a rule would be, for example: Discard all packets coming from the IP address 1.2.3.4. However, since attackers can come from any IP address, it is more practical to go the other way around and only let packets through that come from certain IP addresses.

In principle, however, this is not a really safe way either, since a culprit can forge the house number without major technical problems. Secure communication, e.g. B. between company networks is only possible if protocols are used that authenticate and authorize the users or systems involved. This can be done, for example, with encrypted virtual private networks , or more simply by so-called port knocking , in which the sender first sends a previously agreed sequence of packets (practically knocking on the front door with a certain call sign) and the port is only then opened.

Packet filter implementations

Web links