By Stephen Bucaro
The purpose of a network firewall is to protect computer and IT resources from
malicious sources while allowing internal network users to access the Internet. Today
networks use "stateful" firewalls. A stateful firewall monitors the dynamic state of
data flow and makes decisions on whether to block or allow data to pass based upon
But in the past all firewalls were "stateless" and made decisions on whether to
block or allow data to pass by examining individual packets against the firewall's
Access Control List (ACL). This type of firewall was also called a "packet filtering" firewall.
An ACL uses IP address masks to specify what should be permitted and denied. ACL
masks are opposite normal IP address masks in that an 0 indicates that the address
bits must be an exact match and a 1 in the mask is a "don't care". You can create an
ACL masks by subtracting the IP addresses normal mask from 255.255.255.255.
permit ip any 220.127.116.11 255.255.255.255
permit ip any 18.104.22.168 255.255.255.255
permit ip any 22.214.171.124 255.255.255.255
permit ip any 126.96.36.199 255.255.255.255
deny ip any any
An ACL then is a list of rules with statements to permit or deny the passage of
packets with specific ranges of IP addresses. The rules can be applied to either the
inbound or the outbound traffic. At the end of the ACL, by default, there is an
implicit deny rule that blocks all traffic for which there is not a rule.
A packet filter firewall alone cannot detect some attacks from the transport layer
and application layer, such as TCP SYN flooding and malicious Java applets. The
Application Specific Packet Filter (ASPF) specification was proposed to address these
issues. An ASPF firewall implements application layer and transport specific packet filtering.