The prime security feature of a firewall is its inbound restriction. A typical firewall configuration abandons all inbound traffic to internal IP addresses. A DMZ network should carry the server that accepts the incoming connections or traffic. Latest firewalls allow in the responses to outbound tariff; the firewalls of computers that are connected to web server via internet would automatically accept responses from the web server that would in turn return to the computer.

Inbound Confinement Example: A “ping” command transmits ICMP Echo Request message and as a response receives ICMP Echo Reply message. For blocking the ICMP Echo Request messages to reach its destination, one has to configure a firewall that would result in failed ping commands. For blocking ICMP Echo Reply messages a firewall could be assembled between the source and the destination to fail all ping commands. A potential attacker is allowed by ping to map the network; for preventing the use of ping command for mapping network disable the inbound Echo Request messages.

 

The outbound traffic is denied in some network security administrators. The feature forbids users from accessing unapproved protocols while limiting their access to only approved protocols; such restrictions involve avoiding users from online chat or sending outbound emails especially in work places. Such limitations are sensitive to work-arounds – the time and effort of the user necessary to approach a particular protocol via indirect ways thus very few users spent time in figuring out a way. The outbound confinement most of the time works as per design.

Outbound Confinement Example: SMTP protocol that responds to TCP port 25 is used for emails. Blocking the outbound TCP port 25 in your network would disable the users from sending outbound emails except from enabled email servers. An effective work-around the confinement policy is the configuration of mail server to respond to an additional port along with port 25 by an intelligent user.

 

• The Network Layer Firewall also known as packet filters (in BSD operating systems’ context) works on the low level of the TCP/IP protocol heap which means that none could cross the firewall unless the packets resemble the established rules. Usually default rules are applied but the administrator has authority to modify rules. The Packet Filters have two sub-types. A firewall could make use of a number of packet attributes for filtering traffic such as source port, IP address, destination port or IP address, destination service like FTP or WWW. The process of filtering could be based on protocols of the source such as netblock, TTL values and other properties.
• Stateful Firewalls manages the context of ongoing sessions and process speed packet by the help of state information. In case a packet does not resemble an existing connection then the evaluation would be based on the rules of new connections where the resemblance with the connection on the bases of comparison with the state table of firewall would enable the packet to cross the firewall without any further processing.
• Faster filters and less memory requirement makes Stateless Firewalls a better option. These firewalls are fundamental for the filtering of stateless network protocols due to no concept of session in their set ups. The firewalls are not clever enough to figure out the extent of communication between the hosts.
• The Application Layer Firewall functions on the application level of TCP/IP stack such as all telnet or FTP traffic and tap all packets whether travelling from or to an application. They drop other packets without recognition of the sender. These filters are helpful in restricting outbound traffic from approaching the confined machine.
• 
  The process ID of data packets is examined by the application firewall against a local process’ ruleset implied in data transmission. The rendered ruleset defines the extent to which filtering would be done. In this firewall the ruleset for standard services such as sharing services is very complex. Along with other processes there might occur some possible associations but these ruleset for process has fixed efficiency; it could not defend against modifications that are caused by exploitations such as the exploits of memory corruption.
• 
  These limitations in the application firewall have triggered the association of a new generation of application named MAC (Mandatory Access Control) or sandboxing in these firewalls in order to secure sensitive services. APPArmor is an example of next generation application firewall that is included in some distributions of Linux.
• A Proxy Server could be configured to act as a firewall by responding to input packets such as connection requests. The server could serve as an application that runs on software of a machine made for this purpose or on a hardware dedicated to the task thus breaking into the path of other packets so they could not access their destination.
  
  It would be extremely tough for an external network to temper with an internal system that is synchronized with a proxy server. If the application proxy is accurately configured and intact then the misuse by an external network would not inevitably lead to some security breach exploitation. A system that is in the reach of public might be hacked by intruders who would employee the system as a proxy for their illegitimate motives; in such cases proxy would present that machine as it is to the internal computers. For passing packets to a specific target, hijackers could make use of IP Spoofing.
• The function of NAT (Network Address Translation) is often installed in firewalls that give private or personalized address range as given in RFC 1918 to the hosts that are secured behind a firewall. The initiative is taken to protect or camouflage the hosts from potential threats.
• 
  The routable addresses of IPv4, assigned to individuals or organizations to reduce the number along with cost of acquiring such public addresses for every other computer in the building, were the reason behind the designing of a function like NAT. Against network reconnaissance the best defense is to hide the address of protected devices.