Cho phép các gói dữ liệu thông qua. Thả các gói tin không có phản ứng cho người gửi. Thả các gói tin, nhưng gửi một thông điệp ICMP host unreachable lại cho khách hàng. Cho phép các gói dữ liệu thông qua sau khi thiết lập các điều kiện đặc biệt để theo dõi cuộc trò chuyện rằng nó là một phần của, | Security Components 307 Allow the packet through. Drop the packet with no response to the sender. Drop the packet but send an ICMP host unreachable message back to the client. Allow the packet through after setting up special conditions for monitoring the conversation that it is part of with the intent of changing behavior dynamically on any suspicious activity. Solutions that combine firewalls with IDS sensors can achieve additional levels of security. The firewall enforces policy while the IDS measures attacks aimed at the firewall if the sensor is in front of the firewall or measures our success in thwarting attacks according to policy if placed behind the firewall . Firewall Configurations Firewalls are very versatile and can appear as any of the four channel patterns introduced in Chapter 4 Architecture Patterns in Security. Packet filters make decisions to allow or deny traffic based on the contents of the packet header for example the source or destination IP address the port numbers used or the protocol. Some packet filters maintain a notion of connection state or can assemble fragmented packets. Personal firewalls or host-based software firewalls protect a single host from any attacks on its network interface. PC firewalls such as Tiny Personal Firewall Zone Alarm Norton Personal Firewall or tcpwrapper which we argued in Chapter 4 could also be considered a filter from a different perspective because of granularity of access protection all wrap a single host. Secure gateways intercept all conversations between a client network adaptor and the gateway building an encrypted tunnel to protect data traveling over the open Internet. Once the data reaches the internal network it travels in the clear. Application proxies can perform elaborate logging and access control on the firewall because they can reassemble fragmented packets and pass them up the application stack to a proxy version of the service. The proxy version prevents external communications from .