Figure 
illustrates the filter rules used to
implement our security policy discussed in Section 2.
(a) We filter the first UDP fragment and assume that later
fragments are useless without the first.
(b) We treat certain protocols as safe and allow those packets
through to every host. These protocols are not listed here because
they would then become a target and no longer be safe.
(c) Rejecting all IP multicast packets is acceptable because all
multicast applications can be run on expendable hosts. If a multicast
application were to be selectively enabled, then corresponding IGMP
packets must also be allowed.
(d) We currently accept ARP responses from our network gateway,
which is located on the other side of the firewall. The gateway is
also under someone else's administrative control, so its Ethernet
interface could be changed without our knowledge. (We would
need to be informed if its IP address changed.) If our packet filter
were implemented in a router, then we could filter all ARP packets.
If a filtered protocol is needed for our research or for a particular application, then we either run the process on an expendable machine or establish a proxy on a bastion and change the filters.
= .8