Packet filtering plays the most important role when it comes to the corresponding functions of the different hardware firewall types. With this method, the firewall makes its decision based on a manually defined set of rules as to which data packages are to be forwarded and which aren’t. For this, the firewall operates on the OSI layers 3 and 4, i.e. the network and transport layers, and checks the packet for properties located in the corresponding protocol header. Here, exact IP address or ports are possible that are either allowed or blocked by the rules and regulations.
With the help of the aforementioned bridge or a switch, which is a bridge extension of sorts, packet filtering can be carried out on the OSI model’s data link layer (second layer). There, packet filtering isn’t done on the basis of the IP address; instead, it’s implemented on the basis of MAC addresses, which are used for hardware addressing.
Additionally, after being expanded, firewalls can filter with state-oriented verification methods (stateful packet inspection, SPI). For this purpose, the packet filtering, which is normally limited to layers 3 and 4, also incorporates the application layer (layer 7) and the recorded application data found there. Unlike proxy firewalls, which also have access to this layer, SPI doesn’t allow this data to be changed.