Administrator’s Handbook
How filter sets work
A filter set acts like a team of customs inspectors. Each filter is an inspector through which incoming and outgoing packages must pass. The inspectors work as a team, but each inspects every package individu- ally.
Each inspector has a specific task. One inspector’s task may be to examine the destination address of all outgoing packages. That inspector looks for a certain
A filter inspects data packets like a customs inspector scrutinizing packages.
INSPECTOR
FROM:
APPROVET : D 
FROM:
TO:
FROM:
TO:
Filter priority
Continuing the customs inspectors analogy, imagine the inspectors lined up
packet |
|
|
| to examine a package. If the package matches the first inspector’s criteria, | |||
|
|
|
|
|
| ||
|
|
|
|
|
| the package is either rejected or passed on to its destination, depending on | |
|
|
|
|
|
| ||
|
|
|
|
|
| the first inspector’s particular orders. In this case, the package is never | |
|
|
|
|
|
| seen by the remaining inspectors. | |
first |
|
|
| ||||
|
|
|
| ||||
filter | no | If the package does not match the first inspector’s criteria, it goes to the | |||||
match? | |||||||
second inspector, and so on. You can see that the order of the inspectors in | |||||||
|
|
| |||||
|
|
| send | the line is very important. | |||
|
|
| to next |
| |||
yes |
|
| filter | For example, let’s say the first inspector’s orders are to send along all pack- | |||
|
| ||||||
|
|
|
|
| |||
|
|
|
|
| ages that come from Rome, and the second inspector’s orders are to reject | ||
|
|
|
|
|
| ||
|
|
|
|
|
| all packages that come from France. If a package arrives from Rome, the | |
|
|
|
|
|
| first inspector sends it along without allowing the second inspector to see it. | |
forward |
|
|
| A package from Paris is ignored by the first inspector, rejected by the second | |||
or |
|
|
|
| inspector, and never seen by the others. A package from London is ignored | ||
|
|
|
| ||||
discard? discard | |||||||
by the first two inspectors, so it’s seen by the third inspector. | |||||||
|
|
| (delete) | ||||
|
|
| |||||
forward |
|
|
|
| In the same way, filter sets apply their filters in a particular order. The first fil- | ||
|
|
|
|
|
| ter applied can forward or discard a packet before that packet ever reaches | |
|
|
|
|
|
| ||
to network |
|
|
| any of the other filters. If the first filter can neither forward nor discard the | |||
|
|
| packet (because it cannot match any criteria), the second filter has a chance | ||||
|
|
|
|
|
| ||
|
|
|
|
|
| to forward or reject it, and so on. Because of this hierarchical structure, | |
each filter is said to have a priority. The first filter has the highest priority, and the last filter has the lowest priority.
