1. In firewalls, packet filters are the technology most often used to control traffic. Every packet contains the following fields: source IP address (example: 192.0.2.156) destination IP address transport type (example: TCP=6, UDP=17, ICMP=1) source port (example: HTTP=80, DNS=53, FTP=21) destination port flags (example: SYN) This data is compared against "rules" within the firewall. A typical set of rules might be: BLOCK destination=192.0.2.x TCP flag=SYNALLOW destination=192.0.2.123 TCP destport=80 ALLOW destination=192.0.2.124 TCP destport=25 If our private network is 192.0.2.x, then the first rule above blocks all incoming TCP connections (though outbound connections would still be allowed). The following rules override the first, allowing access to the web-server at port 80 and access to the e-mail server at port 25. Key point: The basic stance of a company firewall is: blocks all UDP traffic except for DNS blocks all incoming TCP connections but allows all outgoing ones allows incoming connections to public HTTP, FTP, SMTP, and DNS servers located in a "DMZ". blocks all ICMP traffic except for those packets needed for path MTU discovery. This allow most access to the Internet for end-users and allows the Internet to access the public servers. It blocks everything else. Contrast: The word "dynamic packet filter" was coined to contrast with the normal "static filter" rules in a firewall described above. Dynamic rules are needed because: Ports are a poor way of identifying protocols (and getting poorer) Whereas most communication uses only outbound connections, some (like FTP) use multiple connections in both directions. In the case of FTP, the client creates an outbound connection to the server, then the server creates separate inbound connections in order to transfer files to the client. Static firewall rules would block this incoming connection, dynamic rules monitor the state and temporarily change the static rules just to allow that connection. An example of a "dynamic" rule is to solve the FTP problem is: Block all incoming connections, but if the user has established a connection to port 21 on a server, then allowing incoming TCP connection from the server port 20 to ports higher than 1024 on the client. Another type of "dynamic" rule is one where the firewall does protocol analysis at layers higher than TCP. To contrast with the example above, the firewall might analyze the FTP connection looking for the PORT command. (The "PORT" command is the FTP protocol whereby the client tells the server which port is has opened to receive a file on). Checkpoint calls this protocol analysis "stateful packet inspection" in their firewall. Other vendors do similar stuff, but call it different names. From Hacking-Lexicon