First page Back Continue Last page Summary Graphics

Allowing Incoming Packets from only Specific Remote Source Addresses


You might want to accept certain kinds of incoming packets from only specific external sites or individuals. In these cases, the firewall rules will define either specific IP addresses or a limited range of IP source addresses these packets will be accepted from.

The first class of incoming packets is from remote servers responding to your requests. While some services, such as Web or FTP services, can be expected to be coming from anywhere, other services will legitimately be coming from only your ISP or specially chosen trusted hosts. Examples of servers which are probably only offered through your ISP are POP mail service, DHCP dynamic IP address assignment, and possibly Domain Name Service (DNS) name server responses.
The second class of incoming packets is from remote clients accessing services offered from your site. Again, while some incoming service connections, such as connections to your Web server, can be expected to be coming from anywhere, other local services will be offered to only a few trusted remote users or friends. Examples of restricted local services might be telnet, ssh and finger.

At the packet level, the only means of identifying the IP packet's sender is the source address in the packet header. This fact opens the door to source address spoofing, where the sender places an incorrect address, rather than his own address, in the source field.