IP Filter Flow

Diagram illustrating the flow of TCP/IP packets through the various stages introduced by IP Filter.

                                   IN
                                    |
                                    V
          +-------------------------+--------------------------+
          |                         |                          |
          |                         V                          |
          |            Network Address Translation             |
          |                         |                          |
          |         authenticated   |                          |
          |       +-------<---------+                          |
          |       |                 |                          |
          |       |                 V                          |
          |       V           IP Accounting                    |
          |       |                 |                          |
          |       |                 V                          |
          |       |        Fragment Cache Check--+             |
          |       |                 |            |             |
          |       V                 V            V             |
          |       |         Packet State Check-->+             |
          |       |                 |            |             |
          |       |       +->--+    |            |             |
          |       |       |    |    V            |             |
          |       V   groups   Firewall check    V             |
          |       |       |    |    |            |             |
          |       |       +--<-+    |            |             |
          |       |                 |            |             |
          |       +---------------->|<-----------+             |
          |                         |                          |
          |                         V                          |
          |                +---<----+                          |
          |                |        |                          |
          |            function     |                          |
          |                |        V                          |
          |                +--->----+                          |
          |                         |                          |
          |                         V                          |
       +--|---<--- fast-route ---<--+                          |
       |  |                         |                          |
       |  |                         V                          |
       |  +-------------------------+--------------------------+
       |                            |
       |                        pass only
       |                            |
       |                            V
       V               [KERNEL TCP/IP Processing]
       |                            |
       |  +-------------------------+--------------------------+
       |  |                         |                          |
       |  |                         V                          |
       |  |                Fragment Cache Check--+             |
       |  |                         |            |             |
       |  |                         V            V             |
       |  |                 Packet State Check-->+             |
       |  |                         |            |             |
       |  |                         V            |             |
       V  |                    Firewall Check    |             |
       |  |                         |            V             |
       |  |                         |<-----------+             |
       |  |                         V                          |
       |  |                   IP Accounting                    |
       |  |                         |                          |
       |  |                         V                          |
       |  |            Network Address Translation             |
       |  |                         |                          |
       |  |                         V                          |
       |  +-------------------------+--------------------------+
       |                            |
       |                        pass only
       V                            |
       +--------------------------->|
                                    V
                                   OUT

Network Address Translation (NAT):

output packets going through the NAT will have their source IP address changed, if a mapping rule and space in the table exists, prior to being forwarded.

input packets going through the NAT will have their destination IP address changed, if it can be found in the table, to the original value.

IP Accounting:

input and output rules can be separately setup, recording the number of bytes that pass through. Each time a rule match occurs, the byte count of the packet is added to the rule (allowing for cascading statistics to be collected).

Firewall check:

input and output rules can be separately setup, determining whether or not a packet will be allowed through IPFilter, into the kernel's TCP/IP routines or out onto the network.

IP Authentication:

packets which are authenticated are only passed through the firewall loops once to prevent double-processing.

Return to the IP Filter home page.

Darren Reed

darrenr@pobox.com