When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn 
What is Packet Filtering?
Packet filtering is a process that network devices use to decide whether a data packet should be dropped or forwarded to its next destination. Firewalls, routers, and a wide variety of other network devices use packet filtering to enforce security policies and optimize network performance.
Packet filtering may also be referred to as static filtering because it compares metadata in a packet’s header with static rules that are arranged in a specific order. This type of filtering is easy to implement and is often used in conjunction with other processes that can understand the context or examine the actual content of packets, not just the headers.
Key Takeaways
- Packet filtering is a basic component of network management.
- It examines a packet’s header to decide whether the entire packet should be forwarded to its next destination or dropped.
- The process works by comparing the metadata in a header with a set of predefined rules that are arranged in a specific order.
- Network administrators can change the rules and the order of the rules to control packet throughput more granularly.
- Packet filtering is often combined with other processes that can understand a packet’s payload and its context during the session.
- Show Full Guide
How Packet Filtering Works
When a packet arrives at a network device that uses packet filtering, the device’s software inspects the packet’s header.
The following image shows the basic structure of an IPv4 header as defined in RFC 791.
If the information in the header matches a predetermined rule that allows packet transmission, the entire packet is forwarded to its next destination. If the header contains information that matches a discard rule, however, the entire packet is dropped.
If the packet header does not match any rule, the network device may either drop the packet or allow it, depending on the default policy set by the device’s manufacturer or a network administrator.
Packet Filtering Rules
The specific order and content of packet filtering rules are highly customizable and depend on the organization’s security policies, network architecture, and risk tolerance. The idea is to prioritize rules that ensure essential services can function while effectively blocking known threats.
In most cases, packet filtering operates on a “first-match” basis. This means the network device checks the packet against rules that are listed in a specific order. Once a rule is matched, that action is taken and no further rules are checked.
Depending on how the rules are written, however, multiple conditions may need to be met for the network device to forward a packet. For example, if a rule specifies that traffic from a particular IP address is only allowed if it uses a specific protocol, both conditions must be met.
Stateless Packet Filtering Firewalls vs. Stateful Firewalls
Technically, firewalls that use packet filtering can be stateless or stateful.
Most early firewalls were stateless. They examined each packet header independently and were not able to understand how one packet related to another. This approach to network security worked well until attackers developed techniques that could exploit the lack of context, like IP spoofing and session hijacking.
Today, most firewalls are stateful. They still examine packet headers, but they can also understand the context by keeping track of network connections going through the firewall.
Type of Packet Filtering Firewalls
Newer types of firewalls often incorporate packet filtering as one element within a broader, multi-layered security approach.
Firewalls vs. Proxy Servers vs. VPNs
Firewalls, proxy servers, and virtual private networks (VPNs) all use packet filtering, but because each type of network device serves a different function, they all use it in slightly different ways.
For example, proxy servers can use packet filtering to identify frequently accessed content and cache it to improve network performance, while the best VPNs can use packet filtering to implement split tunneling. Split tunneling can improve network performance by routing specific types of traffic through the VPN tunnel and forwarding other types of traffic directly to the Internet.
Other Use Cases for Packet Filtering
Packet filtering can also play an important role in network segmentation. When administrators divide a large network into segments or network zones, basic packet filtering software can be used to prevent certain types of traffic from crossing segments.
Packet filtering can also be used in remote access control. For example, organizations can set up a packet filtering firewall with rules that only allow certain IP addresses or subnet ranges to access certain internal services.
In each of these use cases, packet filtering provides a straightforward, efficient way to enforce security and traffic management policies while keeping the network infrastructure relatively simple.
Packet Filtering Pros and Cons
Packet filtering is a valuable tool for basic network security and traffic management. However, it’s important to be aware of its limitations.
Pros
- Relatively easy concept to understand
- Can be implemented with relatively inexpensive hardware and/or software
- Allows manual adjustment of packet filtering rules.
Cons
- Only examines packet headers
- Challenging to manage rules effectively in dynamic environments
- Vulnerable to cyberattacks that spoof IP addresses or exploit connection states
The Bottom Line
When it comes to packet filtering definitions, the bottom line is that while packet filtering is often associated with firewalls, a wide variety of network devices use packet headers to allow or deny packet throughput.
FAQs
What is packet filtering in simple terms?
What is an example of a packet filtering rule?
What is the difference between a firewall and a packet filter?
What are the benefits of packet filtering?
References
- What are packet filter rules? (Educative)
- 4 Types of Cloud Firewalls and Why You Need Them (Tigera)
- Understanding the Zero Trust Firewall | Tufin (Tufin)
- Continuous Authorization | Banyan Security (Banyansecurity)
