摘要 |
A firewall (3) for controlling network data packet traffic between internal and external networks (1, 5, 4), comprising filtering means selecting from a total set of rules, in dependence of the contents in data fields of a data packet being transmitted between said networks, a rule applicable to the dat a packet, in order to block said packet or forward said packet through the firewall (3). A 2-dimensional address lookup means (8) performs a 2- dimensional lookup of the source and destination addresses of the packet in a set of address prefixes, each prefix having a subset of rules of the total s et of rules, in order to find a prefix, via its representation, associated with said source and destination addresses, and rule matching means (10) for rule matching, on the basis of the contents of said data fields, in order to find the rule applicable to the data packet.
|