The most common form of filtering is static packet filtering. Static packet filtering uses a static or fixed set of rules to filter network traffic. The rules can focus on source or destination IP address, source or destination port number, IP header protocol field value, ICMP types, fragmentation flags, and IP options. Static packet filtering focuses on header contents and does not examine the payload of packets or segments. Static packet filtering is therefore mainly focused on the Network Layer (Layer 3), but it can also include Transport Layer (Layer 4) elements.

Static packet filtering is fast. Traffic matching a deny rule gets dropped, while traffic matching an allow rule is allowed to continue toward its destination. Static packet filters are invisible or transparent to hosts and users unless the traffic is blocked; then users will notice the actions of the firewall on their communications.

Static packet filtering requires the firewall administrator to define and tune the rule set. Most firewall rule sets, including static packet-filtering rule sets, are a first-match ordered system. Static packet filtering can be problematic when the rule sets get too large. If the rules are in the wrong order or in a chaotic order, the rule set could create loopholes or unintentionally discard authorized traffic.

The complexities of network communications, such as accepting query responses and port shifts, can be difficult to manage with static packet filtering. Static packet filtering may allow the subsequent packets of a fragmented message through, even though the lead packet was dropped. This can result in a DoS on the destination system, which would be waiting for the lead packet that never arrives.

Additionally, static packet filters perform analysis on individual packets, regardless of the relationship or correlation between previous or future packets in a communication stream. This could allow complex multipacket attacks to bypass the firewall if each individual packet is not recognized as malicious independent of other packets in the stream.

Static packet filtering should still be used as a first line of defense in spite of its shortcomings. By using static packet filtering as the first layer of defense, subsequent layers of filtering will have less bulk to address and thus can operate more efficiently. Proper placement and configuration aid in successful packet filtering.

A state is a session of communication. Stateful inspection addresses the issue of complex malicious traffic. Stateful packet filtering determines whether or not a current packet is part of an existing session, and allow/deny decisions are made based on this determination. Often, state refers to the Transport Layer (Layer 4) protocol TCP’s virtual circuits established through the three-way handshake (using the SYN, SYN/ACK, and ACK flagged segments). Stateful inspection systems can also track communications in Layers 5–7. A stateful inspection firewall will keep track of current sessions in a state table stored in memory.

As the firewall encounters each packet, it is analyzed to determine whether or not the packet is part of an existing state. If not, it is likely to be dropped unless it is a packet used to help initiate a new authorized session. This stateful investigation can be considered a dynamic packet filter, as well. With static packet filtering, rules had to be created to allow the outbound requests and the inbound replies. With dynamic packet filtering, once a session is established, the firewall watches for packets that do not belong to authorized sessions. Using stateful inspection as dynamic packet filtering allows for simpler rule sets. A rule allows an outbound connection and the firewall’s state management automatically allows the return traffic.

Unfortunately, stateful inspection can sometimes be fooled through manipulation of header contents that makes malicious traffic appear to be part of an existing valid session. More advanced stateful inspection filters keep track of the basic endpoints of a session, and additional details about the session, such as the sequencing and acknowledgment numbers. This reduces the risk but does not fully eliminate it, as a hacker can eavesdrop on a session, learn the sequencing numbers, and predict future valid sequences.

Another issue with stateful inspection is that not all traffic uses states. Specifically, UDP and ICMP are connectionless protocols, so state management will not apply to them. For these protocols, the firewall acts as if a state does exist and keeps track of the source and destination from outbound packets. These are added to the state table with a timeout value. If the timeout occurs before a response is received, the state is removed from the table. A hacker can fool this mechanism in the same way as any stateful protocol like TCP.

Network address translation (NAT) is not exactly a form of filtering, but it is often included in lists of the filtering services or options provided by firewalls. NAT translates internal addresses into external addresses. NAT can perform this service against IP addresses, as well as port numbers. Any firewall that supports NAT can be a NAT firewall. In most cases, NAT is an additional translation service to the core filtering functions of a firewall. NAT is a common, if not standard, feature of modern firewalls.

An application proxy, application firewall, or application gateway is an application-specific version of a packet filter. However, unlike a static packet filter that is only able to inspect the header of a packet or segment, an application proxy is able to inspect traffic fully at any layer, including the application payload.

An application proxy, even if given the name firewall or gateway, acts as the go-between or middleman between a client and a server. All communications for the specific application are proxied. This grants the application firewall the ability to inspect application-specific elements of the traffic. Application proxies are application-specific, therefore specific products for email, web, file transfer, database access, Voice over Internet Protocol (VoIP), and other TCP/IP sub-protocols are available.

When an application proxy is deployed, it usually requires that all client software is reconfigured to point communications to the proxy server rather than the actual intended resource server. The application proxy will rebuild the request packet before sending it to the resource server. This can include NAT services, but in most cases, it is just a process of proxying the communication. The application proxy maintains two connections, one with the requesting client and a second with the resource server. Thus, application proxies are not transparent filters, because a client is aware the proxy is in use. The client never establishes a direct connection to the resource server when a proxy is involved.

All other firewalls monitoring a network border must deny access for the application protocols to be managed by the application proxy. This prevents a user from attempting to bypass the application proxy.

Application firewalls can filter on the content of the application payload. This can include IP addresses, domain names, URLs, subprotocols, attachments, keywords, and more. An application proxy can inspect every aspect of an application’s communications. This is known as deep packet inspection. Application proxies can also perform caching services to improve performance and reduce connection throughput consumption. The primary limitation of application proxy firewalls is that each unique application will need its own dedicated application proxy. Generic proxy systems are usually ineffective.

A circuit proxy or circuit firewall focuses its filtering on the initial setup process of a session, state, or circuit. This form of filtering can focus on Layers 3–5. It functions similarly to an application proxy, as it acts as a middleman between a client and server. A circuit proxy prevents a direct connection from existing between a client and server to protect the network.

A circuit proxy makes an allow or deny decision on the initiation of the session, state, or circuit. Once a circuit is created, no further filtering takes place. If a client is allowed to initiate communications with a resource server, then the content of the communication is unfiltered and unmonitored (at least by the circuit proxy).

The filtering rules of circuit proxies are similar to those of static packet filtering in that a list of rules of IP addresses, port numbers, domain names, networks, or even resource providers determine which circuits or connections are allowed and which are not. The filter set can be a deny all/but allow exceptions stance, or an allow all/but deny exceptions stance.

Firewalls can also filter based on content. The firewall can intercept specific content in a packet leaving the network before it reaches the outside. This could result in the packet being discarded, an entire connection dropped, or the packet edited to remove the blocked content and replace it with something else. Content filtering can focus on domain name, URL, filename, file extension, or some other form of keyword. Content filtering is often a feature of application proxy firewalls, stateful inspection firewalls, and dynamic packet-filtering firewalls.