Using the privileged ports convention, this section contains several examples of packet filtering rules. In the examples, the syntax a.b.c.d/y denotes the 32-bit IP address a.b.c.d with the left-most y bits of the address significant for a comparison, as used in [Cha92]. For example, 184.108.40.206/16 means that the first 16 bits, 129.7, are significant for comparisons to other addresses or patterns. Thus, 220.127.116.11 matches 18.104.22.168/8, 22.214.171.124/16, and 126.96.36.199/24, but not 129.7.4/24. An address or pattern with 0 significant bits such as 0.0.0.0/0 matches any address, while a pattern with 32 significant bits such as 188.8.131.52/32 matches only that specific address.
The following examples assume packet-filtering routers (or dual-homed hosts with packet filtering capability) with two interfaces (Ethernet, token ring, etc.).
The first example is a simple method to block access to all privileged ports from outside systems to a protected network:
This effectively blocks all access from the outside to the protected network, however systems on the protected network may still be able to use telnet, ftp, and some other services to connect outbound.
This example may prove too restrictive for many sites, so the next example preserves outbound access from the protected network to the outside and permits only inbound telnet (port 23), ftp (ports 20 and 21), and SMTP (port 25) access from outside systems to the protected network. The following rules would filter accordingly:
However, to make this example more complete, we would need to block inbound access to those services that use port numbers above 1023, such as X Windows (ports 6000, 6001, up to 60nn, where nn is the maximum number of X displays running on any one host) and Sun OpenWindows (2000). The following rules would need to be added:
The above examples have all used port numbers or packet type as the filtering criteria. Source and destination IP addresses combined with the other header fields can permit certain types of access to occur only to designated systems or subnets. For example, a site may wish to allow certain services from the outside such as SMTP, ftp, or NNTP (port 119), to go to only specific systems. In the following example, one host on the protected network, 127.32.7.20, is acting as the site's anonymous ftp server, a second host, 127.32.7.21, is the e-mail server, and a third host, 127.32.7.22, is the news server. The rules for limiting inbound access from the outside to these systems would be as follows:
For more detailed examples of packet filtering, refer to [SQ92].