The primary activity of a firewall is filtering packets that pass to and from the Internet and the protected subnet. Filtering packets can limit or disable services such as NFS or telnet, restrict access to and from specific systems or domains, and hide information about subnets. A firewall could filter the following fields within packets:
In almost all cases, packet filtering is done using a packet filtering router designed for filtering packets as they pass between the router's interfaces. Packet filtering capability is usually not included in operating systems such as UNIX or VAX/VMS, however at least one vendor includes packet filtering capability [Ran92]. Not all packet filtering routers can filter based on source TCP/UDP port, however more vendors are starting to incorporate this capability.