Table of Contents
Advertisement
Filter priority
Continuing the customs inspectors analogy, imagine the inspectors lined up to examine a package. If the
package matches the first inspector's criteria, the package is either rejected or passed on to its destination,
depending on the first inspector's particular orders. In this case, the package is never seen by the remaining
inspectors.
If the package does not match the first inspector's criteria, it goes to the second inspector, and so on. You can
see that the order of the inspectors in the line is very important.
For example, let's say the first inspector's orders are to send along all packages that come from Rome, and the
second inspector's orders are to reject all packages that come from France. If a package arrives from Rome,
the first inspector sends it along without allowing the second inspector to see it. A package from Paris is
ignored by the first inspector, rejected by the second inspector, and never seen by the others. A package from
London is ignored by the first two inspectors, so it's seen by the third inspector.
In the same way, filter sets apply their filters in a particular order. The first filter applied can forward or discard
a packet before that packet ever reaches any of the other filters. If the first filter can neither forward nor discard
the packet (because it cannot match any criteria), the second filter has a chance to forward or reject it, and so
on. Because of this hierarchical structure, each filter is said to have a priority. The first filter has the highest
priority, and the last filter has the lowest priority.
packet
first
filter
no
match?
send
to next
filter
yes
forward
or
discard?
discard
(delete)
forward
to network
Security 13-5
Advertisement
Table of Contents
