Packet Filtering Example
To understand the concept of how a router uses packet filtering, imagine that a guard has been posted at a locked door. The guard's instructions are to allow only people whose names appear on a list to pass through the door. The guard is filtering people based on the criterion of having their names on the authorized list. An ACL works in a similar manner, making decisions based on set criteria.
For example, an ACL could be configured to logically, "Permit web access to users from network A but deny all other services to network A users. Deny HTTP access to users from network B, but permit network B users to have all other access." Refer to the figure to examine the decision path the packet filter uses to accomplish this task.
For this scenario, the packet filter looks at each packet as follows:
- If the packet is a TCP SYN from Network A using Port 80, it is allowed to pass. All other access is denied to those users.
- If the packet is a TCP SYN from Network B using Port 80, it is blocked. However, all other access is permitted.
This is just a simple example. Multiple rules can be configured to further permit or deny services to specific users.