You can construct a packet filter so that it only allows packets destined for specified services to pass through an interface. This approach is best if you can easily specify which services you want to allow such as HTTP and DNS. You may inadvertently block certain services that people want to use but you can add these later if necessary. ``A packet filter that allows a limited number of services'' shows a filter that allows packets destined for the telnetd, ftpd and rlogind servers to pass but which drops packets for all other services.
A packet filter that allows a limited number of services