The packet filtering firewall (fig. 
) is perhaps
most common and easiest to employ for small, uncomplicated sites.
However, it suffers from a number of disadvantages and is less desirable
as a firewall than the other example firewalls discussed in this chapter.
Basically, one installs a packet filtering router at the Internet
(or any subnet) gateway and then
configures the packet filtering rules in the router to block or filter
protocols and addresses.
The site systems usually have direct access to the Internet while all or
most access to site systems from the Internet is blocked.
However, the router could allow selective access to systems and services,
depending on the policy.
Usually, inherently-dangerous services such as NIS, NFS, and X Windows
are blocked.
Figure: Packet Filtering Firewall.
A packet filtering firewall suffers from the same disadvantages as a packet filtering router, however they can become magnified as the security needs of a protected site becomes more complex and stringent. These would include the following:
A packet filtering router can implement either of the design policies
discussed in section .
However, if the router does not filter on source port or filter on inbound as well
as outbound packets, it may be more difficult to implement the second
policy, i.e., deny everything unless specifically permitted.
If the goal is to implement the second policy, a router that provides the
most flexibility in the filtering strategy is desirable.
Again, see [Chap92] as well as [Ches94] for more
information.