Firewall apparatus and method of controlling network data packet traffic between internal and external networks
First Claim
1. A firewall (3), controlling network data packet traffic between internal and external networks (1,5,4), comprising filtering means, in dependence of the contents in data fields of a data packet being transmitted between said networks, selecting from a total set of rules a rule applicable to the data packet, whereby said packet is blocked or forwarded through the firewall (3), characterized by 2-dimensional address lookup means (8) performing a 2-dimensional lookup of the source and destination addresses of the packet in a set of address prefixes, each prefix having a subset of rules of the total set of rules, in order to find a prefix associated with said source and destination addresses, and rule matching means (10), performing—
- based on the contents of said data fields—
a rule matching in order to find the rule applicable to the data packet.
0 Assignments
0 Petitions
Accused Products
Abstract
A firewall (3), controlling network data packet traffic between internal and external networks (1,5,4), comprising filtering means, in dependence of the contents in data fields of a data packet being transmitted between said networks, selecting from a total set of rules a rule applicable to the data packet, whereby said packet is blocked or forwarded through the firewall (3). A 2-dimensional address lookup means (8) performs a 2-dimensional lookup of the source and destination addresses of the packet in a set of address prefixes, each prefix having a subset of rules of the total set of rules, in order to find a prefix associated with said source and destination addresses, and rule matching means (10), performs—based on the contents of said data fields—a rule matching in order to find the rule applicable to the data packet.
-
Citations
14 Claims
-
1. A firewall (3), controlling network data packet traffic between internal and external networks (1,5,4), comprising filtering means, in dependence of the contents in data fields of a data packet being transmitted between said networks, selecting from a total set of rules a rule applicable to the data packet, whereby said packet is blocked or forwarded through the firewall (3), characterized by 2-dimensional address lookup means (8) performing a 2-dimensional lookup of the source and destination addresses of the packet in a set of address prefixes, each prefix having a subset of rules of the total set of rules, in order to find a prefix associated with said source and destination addresses, and rule matching means (10), performing—
- based on the contents of said data fields—
a rule matching in order to find the rule applicable to the data packet. - View Dependent Claims (2, 3, 4, 5)
- based on the contents of said data fields—
-
6. A firewall (3), controlling network data packet traffic between internal and external networks (1,5,4), comprising filtering means, in dependence of the contents in data fields of a data packet being transmitted between said networks, selecting from a total set of rules a rule applicable to the data packet, whereby said packet is blocked or forwarded through the firewall (3), characterized by a fragmenting machine (11) fragmenting data packets being too large to be handled and comprising fragment collecting means collecting packet fragments from a fragmented packet until a fragment header of said packet is received, fragment header storing means storing in an entry means information present in a fragment header field of the packet, fragment forwarding means forwarding packet fragments provided with fragment header information starting with the fragment header, wherein each fragment is processed by the filtering means as a regular unfragmented packet.
-
7. A method of controlling network data packet traffic between internal (1,5) and external networks (4) through a firewall (3), comprising the steps of,
in dependence of the contents in the data fields of a data packet being transmitted between said networks, selecting from a total set of rules a rule applicable to the data packet, applying said rule on said packet, and depending on the rule blocking or forwarding said packet through the firewall (3), characterized in that said filtering comprises the further steps of: -
performing a 2-dimensional lookup of the source and destination addresses of the packet in order to find a prefix associated with said source and destination addresses in a set of address prefixes, each prefix having a subset of rules of the total set of rules, and based on the contents of said data fields of the packet, performing a rule matching on the subset of rules in order to find the rule applicable to the data packet. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A method of controlling network data packet traffic between internal and external networks (1,5,4) through a firewall (3), comprising the steps of,
in dependence of the contents in the data fields of a data packet being transmitted between said networks, selecting from a total set of rules a rule applicable to the data packet, applying said rule on said packet, and depending on the rule blocking or forwarding said packet through the firewall (3), characterized in that preceding the step of selecting a rule applicable to the data packet it comprises the further steps of: -
collecting packet fragments from a fragmented packet until a fragment header of said packet is received, storing in an entry means information present in a fragment header field of the packet, and forwarding packet fragments provided with fragment header information starting with the fragment header, wherein each fragment is processed by the filtering means as a regular unfragmented packet.
-
Specification