Figure illustrates the filter rules used to implement our security policy discussed in Section 2.
(a) We filter the first UDP fragment and assume that later fragments are useless without the first. (b) We treat certain protocols as safe and allow those packets through to every host. These protocols are not listed here because they would then become a target and no longer be safe. (c) Rejecting all IP multicast packets is acceptable because all multicast applications can be run on expendable hosts. If a multicast application were to be selectively enabled, then corresponding IGMP packets must also be allowed. (d) We currently accept ARP responses from our network gateway, which is located on the other side of the firewall. The gateway is also under someone else's administrative control, so its Ethernet interface could be changed without our knowledge. (We would need to be informed if its IP address changed.) If our packet filter were implemented in a router, then we could filter all ARP packets.
If a filtered protocol is needed for our research or for a particular application, then we either run the process on an expendable machine or establish a proxy on a bastion and change the filters.