IP Filter Flow
Diagram illustrating the flow of TCP/IP packets through the various stages
introduced by IP Filter.
IN
|
V
+-------------------------+--------------------------+
| | |
| V |
| Network Address Translation |
| | |
| authenticated | |
| +-------<---------+ STATE CHECK--+ ACCOUNTING FRAGMENT CACHE V PACKET +- IP | CHECK-->+>--+ | | |
| | | | V | |
| V groups Firewall check V |
| | | | | | |
| | +--<-+ +---------------- |>|<-----------+ FUNCTION +---<----+ +--- V |>----+ |
| | |
| V |
+--|---<--- STATE ONLY CHECK--+ ADDRESS ---<--+ FAST-ROUTE NETWORK +--------------------------- ACCOUNTING TCP/IP TRANSLATION |<-----------+ FRAGMENT CACHE V FIREWALL PASS +-------------------------+--------------------------+ PACKET IP PROCESSING] | [KERNEL CHECK CHECK-->+>|
V
OUT
- Network Address Translation (NAT):
output packets going through the NAT will have their source IP address
changed, if a mapping rule and space in the table exists, prior to being
forwarded.
-
input packets going through the NAT will have their destination IP address
changed, if it can be found in the table, to the original value.
- IP Accounting:
-
input and output rules can be separately setup, recording the number of
bytes that pass through. Each time a rule match occurs, the byte count
of the packet is added to the rule (allowing for cascading statistics
to be collected).
- Firewall check:
-
input and output rules can be separately setup, determining whether or not a
packet will be allowed through IPFilter, into the kernel's TCP/IP routines
or out onto the network.
- IP Authentication:
-
packets which are authenticated are only passed through the firewall loops
once to prevent double-processing.
Return to the IP Filter home page.
Darren Reed
darrenr@pobox.com