Packet Filter - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
entry in the valid connection table. After the session is terminated, the session
entry will be deleted from the table. Circuit-level GW authenticates a connection
only at the session layer. If the authentication is passed, any application can be
run on the connection. Take FTP as an example. A circuit-level GW only
authenticates an FTP session at the TCP layer at the beginning of the session. If
the authentication is passed, all the data can be transmitted on this connection
until the session is terminated.
Packet filter: Such a firewall filters each packet depending on the items that
defined by the user. For example, it compares the packets with the defined rules in
source and destination addresses for a match. A packet filter neither considers the
status of sessions, nor analyzes the data. If the user specifies that the packets
carrying port number 21 or a port number no less than 1024 are permitted, all the
packets matching the condition will be able to pass through the firewall. If the
configured rules are properly set for the actual applications, many packets that
bring potential threat to the security can be filtered at this layer.
Network Address Translation: Also called address proxy, NAT makes it possible
for a private network to access an external network. The NAT mechanism is to
substitute an external network address and port of router for the IP address and
port of a host on a private network and vice versa. In other words, it fulfills the
conversion between <Private address + Port number> and <Public address + Port
number>. The private address discussed here refers to an internal network or host
address, and public address refers to a globally unique IP address on the Internet.
Internet Assigned Number Authority (IANA) provisioned that that the following IP
address ranges are reserved for private addresses:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
In other words, the addresses in these three ranges will be used inside an organization
or companies rather than assigned on the Internet. A company can select a proper
internal network address ranges, taking into consideration the number of the internal
hosts and networks in the near future. The internal network addresses of different
companies can be the same. However, it will be very likely to cause chaos if a company
selects a segment beyond the three ranges given above as the internal network
address. NAT allows internal hosts to access the Internet resources while keeping their
"privacy".

1.4.3 Packet Filter

I. Function
Normally, a packet filter filters the IP packets. For the packets that the router will forward,
the filter will first obtain the header information of each packet, including upper protocol
Chapter 1 Network Security Configuration
3Com Corporation
1-4