6. «Ê¥]¦p¦ó¬ï¶V(traverse)¹LÂo

®Ö¤ß±q 'filter' ªí®æªº¤T­Ó¦Cªí(lists) ¶}©l¡Q³o¤T­Ó¦Cªí¥s°µ firewall chains(¨¾¤õÀðÃì) ©Î´N¥s chains(Ãì)¡C ³o¤T­ÓÃì¤À§O¬°INPUT¡NOUTPUT ¡N©M FORWARD ¡C

³o¸ò 2.0 ©M 2.2 ®Ö¤ß¦³«Ü¤j®t§O®@¡T

¹ï©ó ASCII ÃÀ³N°g¨Ó»¡¡M¦UÃì(chains)ªº§G¸m¦p¤U¡R

                          _____
Incoming                 /     \         Outgoing
       -->[Routing ]--->|FORWARD|------->
          [Decision]     \_____/        ^
               |                        |
               v                      ____
              ___                    /    \
             /   \                  |OUTPUT|
            |INPUT|                  \____/
             \___/                      ^
               |                        |
                ----> Local Process ----

¨ä¤¤¤T­Ó°é¥NªíµÛ«e­zªº¤T­ÓÃì¡M·í¤@­Ó«Ê¥]©è¹F¤W¹Ï¤¤ªº¨ä¤¤¤@­Ó°é¡M¬ÛÀ³ªºÃì´N·|±µ¨üÀËÅç(examined)¡M¥H¨M©w¨º­Ó«Ê¥]ªº©R¹B¡C¦pªGÃ컡 DROP ±¼³o­Ó«Ê¥]¡M¨º»ò¥¦´N·|´N¦a¥¿ªk¡M¦ý¦pªGÃ컡 ACCEPT ³o­Ó«Ê¥]¡M¨º»ò¥¦´NÄ Äò¦b¹Ï¥Ü¤¤¬ï¶V¡C

¤@­ÓÃì(chain)¨ä¹ê´N¬O²³¦h³W«h(rules)¤¤ªº¤@­ÓÀˬd²M³æ(checklist)¡C¨C¤@±ø³W«h³£·|»¡¡§¦pªG«Ê¥]ªíÀY¬Ý°_¨Ó¹³³o¼Ë¡M´N¦p¦¹³o¯ë³B¸m³o­Ó«Ê¥]¡¨¡C¦pªG³W«hªº³]©w©M«Ê¥]¨Ã¤£²Å¦X(match)¡M¨º»ò´N¥æ¥ÑÃ줤ªº¤U¤@­Ó³W«hÄ Äò³B²z¡C¦Ó³Ì²×¡M¦pªG¦A¨S¦³³W«h¥i¥H°Ñ¦Ò¡M¨º»ò®Ö¤ß´N·|¬ÝÃ쪺policy(­ì«h) ¥H¨M©w«ç»ò°µ¡C¦b¤@­Ó¦w¥þ¦Ü¤Wªº¨t²Î¸Ì¡M­ì«h(policy)³q±`³£·|§i¶D®Ö¤ß DROP ±¼¸Ó«Ê¥]¡C

1. ·í¤@­Ó«Ê¥]¶i¤Jªº®É­Ô(°²³]¡M³q¹L Ethernet ºô¸ô¥d)¡M®Ö¤ß­º¥ý¬Ý¬Ý«Ê¥]ªº¥Øªº¦a(destination)¡R³oºÙ¤§¬° ' rouging (¸ô¥Ñ)'¡C
2. ¦pªG¥Øªº¦a§}¬°¥»¾÷¡M³o­Ó«Ê¥]´N«ö¹Ï¥Ü¤U¦æ¦Ü INPUT Ãì¡C¦pªG¥¦¯à°÷³q¹L¡M¨º»òµ¥«Ý³o­Ó«Ê¥]ªº¦æµ{(processes)´N±N¤§±µºÞ¤U¨Ó¡C
3. §_«h¡M¦pªG®Ö¤ß¨Ã¨S±Ò°ÊÂ໼¥\¯à(forwarding)¡M©Î¬O¥¦¤£ª¾¹D¦p¦óÂ໼³o­Ó«Ê¥]¡M¨º»ò³o­Ó«Ê¥]´N·|³Q¥á±ó(dropped)¡C¦pªGÂ໼¥\¯à¤w¸g±Ò°Ê¡M¦P®É«Ê¥]«ü¦V¥t¤@­Óºô¸ô¬É­±(¦pªG±zÁÙ¦³¥t¥ ¤@±i)¡MµM«á³o­Ó«Ê¥]´N«ö¹Ï¥Ü¥k¦æ¦Ü FORWARD Ãì¡C¦pªG¥¦³Q±µ¨ü(ACCEPT)¡M¨º»ò¥¦´N·|³Q°e¥X¥h¡C
4. ³Ì«á¤@ºØ±¡§Î¡M¤@­Ó¦b¥»¾÷¹B¦æªºµ{¦¡·|°e¥Xºô¸ô«Ê¥]¡C«Ê¥]´Nª½±µ¥æµ¹ OUTPUT Ãì¡R¦pªG¬O ACCEPT¡MµM«á³o­Ó«Ê¥]·|Ä Äò°e¥X¦Ü¥¦©Ò«ü¦Vªº¬É­±¡C