blank.gif (43 bytes)

Church Of The
Swimming Elephant

5.3.9 Packet Filtering and Access Lists Connected: An Internet Encyclopedia
5.3.9 Packet Filtering and Access Lists

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 1812
Prev: 5.3.8 Source Address Validation
Next: 5.3.10 Multicast Routing

5.3.9 Packet Filtering and Access Lists

5.3.9 Packet Filtering and Access Lists

As a means of providing security and/or limiting traffic through portions of a network a router SHOULD provide the ability to selectively forward (or filter) packets. If this capability is provided, filtering of packets SHOULD be configurable either to forward all packets or to selectively forward them based upon the source and destination prefixes, and MAY filter on other message attributes. Each source and destination address SHOULD allow specification of an arbitrary prefix length.


This feature can provide a measure of privacy, where systems outside a boundary are not permitted to exchange certain protocols with systems inside the boundary, or are limited as to which systems they may communicate with. It can also help prevent certain classes of security breach, wherein a system outside a boundary masquerades as a system inside the boundary and mimics a session with it.

If supported, a router SHOULD be configurable to allow one of an

  • Include list - specification of a list of message definitions to be forwarded, or an
  • Exclude list - specification of a list of message definitions NOT to be forwarded.

A "message definition", in this context, specifies the source and destination network prefix, and may include other identifying information such as IP Protocol Type or TCP port number.

A router MAY provide a configuration switch that allows a choice between specifying an include or an exclude list, or other equivalent controls.

A value matching any address (e.g., a keyword any, an address with a mask of all 0's, or a network prefix whose length is zero) MUST be allowed as a source and/or destination address.

In addition to address pairs, the router MAY allow any combination of transport and/or application protocol and source and destination ports to be specified.

The router MUST allow packets to be silently discarded (i.e., discarded without an ICMP error message being sent).

The router SHOULD allow an appropriate ICMP unreachable message to be sent when a packet is discarded. The ICMP message SHOULD specify Communication Administratively Prohibited (code 13) as the reason for the destination being unreachable.

The router SHOULD allow the sending of ICMP destination unreachable messages (code 13) to be configured for each combination of address pairs, protocol types, and ports it allows to be specified.

The router SHOULD count and SHOULD allow selective logging of packets not forwarded.

Next: 5.3.10 Multicast Routing

Connected: An Internet Encyclopedia
5.3.9 Packet Filtering and Access Lists


Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!

Service Details

Have you gone to church today?
All pages ©1999, 2000, 2001, 2002, 2003 Church of the Swimming Elephant unless otherwise stated
Church of the Swimming Elephant©1999, 2000, 2001, 2002, 2003 is a wholly owned subsidiary of Packetderm, LLC.

Packetderm, LLC
210 Park Ave #308
Worcester, MA 01609