Input filters vs. output filters – USRobotics NETServer/8 User Manual

Packet Filters 8-3

Information Sources

Internet packet filtering and security are complex issues which
this chapter can barely scratch the surface of. The following
sources provide additional information:

Cheswick and Bellovin, Firewalls and Internet Security: Repelling

the Wily Hacker, Addison Wesley, 1994, ISBN 0-201-63357-4

Siyan and Hare, Internet Firewalls and Network Security, New

Riders Publishing, 1995, ISBN 1-56205-437-6

Input filters vs. Output filters

You can assign two packet filters to each interface: an input filter
and an output filter. Input filters control which packets are
allowed into the NETServer through the interface. Output filters
control what packets are allowed out of the NETServer.

When possible, use the input filter to filter out an incoming
packet rather than waiting to catch a packet on its way out of the
NETServer. There are several good reasons for this.

•

Preventing a packet from entering the NETServer can keep
potential intruders from attacking the NETServer itself.

•

The NETServer’s routing engine does not waste time
processing a packet that is going to be discarded anyway.

•

Most importantly, the NETServer does not know which
interface an outgoing packet came in through. If a potential
intruder forges a packet with a false source address (in order
to appear as a trusted host or network), there is no way for
an output filter to tell if that packet came in through the
wrong interface. An input filter, on the other hand, can filter
out packets purporting to be from networks that are actually
connected to a different interface.