Traditional packet filters Analyzes each datagram going through it; makes drop decision based on source IP address tcP or udP or ICMP destination IP address a Firewalls often configured to block all UDP source port destination port direction a Is the datagram leaving or TCP flag bits entering the internal D syn bit set: datagram for network? connection initiation router interface ACK bit set: part of o decisions can be different established connection for different interfacesTraditional packet filters ◼ source IP address ◼ destination IP address ◼ source port ◼ destination port ◼ TCP flag bits ❑ SYN bit set: datagram for connection initiation ❑ ACK bit set: part of established connection ◼ TCP or UDP or ICMP ❑ Firewalls often configured to block all UDP ◼ direction ❑ Is the datagram leaving or entering the internal network? ◼ router interface ❑ decisions can be different for different interfaces 7 Analyzes each datagram going through it; makes drop decision based on: