Abstract: A method of filtering a tunneled data packet including an outer header and an outer payload, the outer payload including an inner data packet including an inner header and an inner payload, where the value of at least one outer header field of the tunneled data packet is matched to a first rule, and the action defined in the first rule is taken. Taking the action defined in the first rule includes detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.

Abstract: The invention concerns handling in a firewall data communication protocols comprising at least one parent connection and at least one related connection, wherein at least one attribute of the related connection is negotiated within the parent connection. Whether to allow a related connection is decided on the basis of information about the related connection as well as information about the parent connection. The method of the invention comprises allowing a parent connection, storing information about the parent connection, monitoring contents of the parent connection, detecting within the parent connection negotiation of at least one attribute of a related connection, and using said at least one negotiated attribute of the related connection and said information about the parent connection for deciding, whether said related connection is allowable.

Abstract: A method for handling data packets in a network element, such as a gateway, said data packets belonging to a set of data packets. Data packets are captured, and captured data packets are processed. Captured data packets are accepted for processing or declined from processing based on said captured data packet and data packets captured prior to said data packet. When at least one captured data packet is processed, a modification command affecting at least said at least one captured data packet is determined, and a list of modification commands is maintained, said list enabling modification of captured data packets. Captured data packets are modified based on said list of modification commands, and data packets are released. It is also possible to process the captured data packets without determining modification commands, and release the data packets without modifying them.

Abstract: The invention concerns handling in a firewall data communication protocols comprising at least one parent connection and at least one related connection, wherein at least one attribute of the related connection is negotiated within the parent connection. Whether to allow a related connection is decided on the basis of information about the related connection as well as information about the parent connection. The method of the invention comprises allowing a parent connection, storing information about the parent connection, monitoring contents of the parent connection, detecting within the parent connection negotiation of at least one attribute of a related connection, and using said at least one negotiated attribute of the related connection and said information about the parent connection for deciding, whether said related connection is allowable.

Abstract: A method of filtering a tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, where the value of at least one outer header field of the tunneled data packet is matched to a first rule, and the action defined in the first rule is taken. Taking the action defined in the first rule comprises detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.

Abstract: A method for handling data packets in a network element, such as a gateway, said data packets belonging to a set of data packets. Data packets are captured (300), and captured data packets are processed (302). Captured data packets are accepted (301) for processing or declined (301) from processing based on said captured data packet and data packets captured prior to said captured data packet. When at least one captured data packet is processed, a modification command affecting at least said at least one captured data packet is determined (304), and a list of modification commands is maintained (305), said list enabling modification of captured data packets. Captured data packets are modified (306) based on said list of modification commands, and data packets are released (308). It is also possible to process (302) the captured data packets without determining modification commands, and release (308) the data packets without modifying them.