Packet filtering is done by having network software in a router or host examine fields in a TCP/IP header to decide whether to forward or accept traffic. The fields most commonly examined are:
Appropriate combinations of rules can limit access to or from certain networks by examining IP addresses and limit access to certain UDP or TCP protocols by examining port numbers. ICMP filtering can prevent mapping of networks by "ping-scanning" (although other scanning methods using UDP or TCP may still work), but should be done carefully since certain ICMP messages are necessary to the effective function of other protocols. TCP ACK filtering can produce a sort of "one-way barrier"; this is because normally when a client host opens a connection to a server, all TCP packets coming from the server back to the client will have the TCP ACK flag set. If a filter permits ACKs in one direction, then the hosts behind the filter will be able to open outgoing TCP connections (since the incoming packets will all have the ACK flag) but incoming TCP connections to those hosts will fail (since the initial SYN will not have an ACK and therefore be dropped).