Abstract: The present invention discloses a novel system for controlling the inbound and outbound data packet flow in a computer network. By controlling the packet flow in a computer network, private networks can be secured from outside attacks in addition to controlling the flow of packets from within the private network to the outside world. A user generates a rule base which is then converted into a set of filter language instruction. Each rule in the rule base includes a source, destination, service, whether to accept or reject the packet and whether to log the event. The set of filter language instructions are installed and execute on inspection engines which are placed on computers acting as firewalls. The firewalls are positioned in the computer network such that all traffic to and from the network to be protected is forced to pass through the firewall. Thus, packets are filtered as they flow into and out of the network in accordance with the rules comprising the rule base.

Abstract: A filter module allows controlling network security by specifying security rules for traffic in the network and accepting or dropping communication packets according to these security rules. A set of security rules are defined in a high level form and are translated into a packet filter code. The packet filter code is loaded into packet filter modules located in strategic points in the network. Each packet transmitted or received at these locations is inspected by performing the instructions in the packet filter code. The result of the packet filter code operation decides whether to accept (pass) or reject (drop) the packet, disallowing the communication attempt.