Electrical computers and digital processing systems: multicomput – Computer-to-computer data addressing
Reexamination Certificate
1998-08-17
2001-07-24
Dinh, Dung C. (Department: 2153)
Electrical computers and digital processing systems: multicomput
Computer-to-computer data addressing
C709S244000, C709S232000, C370S401000
Reexamination Certificate
active
06266707
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field of the Invention
This invention pertains to firewall capability for a gateway system. In particular, it relates to IP network address translation (NAT) and IP filtering with dynamic address resolution.
2. Background Art
Internet protocol (IP) network address translation (NAT) and IP filtering are functions which provide firewall-type capability to an Internet gateway system. In one specific system, this is accomplished by providing means for the system administrator to specify specific NAT and filtering rules via an operational navigator graphical user interface (GUI).
IP packet filtering is the process of checking each internet protocol (IP) packet that is going to be sent from or has just arrived at a gateway system, or node, in a communications network, and based upon that check of making a decision. The decision is (typically, and insofar as it relates to the preferred embodiment of this invention) whether the packet should be discarded or allowed to continue. These are termed the ‘deny’ and ‘permit’ actions. IP filtering is widely used in Internet firewall systems, by independent service providers (ISPs) and organizations connected to the Internet.
Filter rules are most commonly an ordered list of rules, processed sequentially from top to bottom (order is specified by the system administrator). Each rule permits a certain kind of IP traffic. Processing for an IP packet continues until the packet is permitted, explicitly denied, or there are no more rules, in which case it is denied. Usually a number of filter rules must be written for each protocol to be permitted.
The problem solved by this invention is: how can a system administrator write NAT and Filter rules when the IP address is not known?
It is, therefore, an object of the invention to provide an improved gateway system and method.
It is a further object of the invention to provide an improved system and method for specifying filter rules when the relevant IP address is not known.
It is a further object of the invention to provide a system and method for dynamically resolving IP addresses.
SUMMARY OF THE INVENTION
In accordance with the invention, a system and method is provided for a gateway system. Symbolic interface names are recognized in selected rule statements. A symbolic s-rule file is generated from these rule statements which includes symbolic interface names. During processing of a packet message, the s-rule file corresponding to the interface name in the packet message is processed, with symbolic addresses in the s-rule file resolved to the IP addresses obtained from the message.
Other features and advantages of this invention will become apparent from the following detailed description of the presently preferred embodiment of the invention, taken in conjunction with the accompanying drawings.
REFERENCES:
patent: 4896319 (1990-01-01), Lidinsky et al.
patent: 5185860 (1993-02-01), Wu
patent: 5548731 (1996-08-01), Chang et al.
patent: 5566170 (1996-10-01), Bakke et al.
patent: 5586025 (1996-12-01), Tsuji et al.
patent: 5636216 (1997-06-01), Fox et al.
patent: 5708659 (1998-01-01), Rostoker et al.
patent: 5778231 (1998-07-01), Van Hoff et al.
patent: 5781534 (1998-07-01), Perlman et al.
patent: 5835726 (1998-11-01), Shwed et al.
patent: 5842224 (1998-11-01), Fenner
patent: 5898830 (1999-04-01), Wesinger, Jr. et al.
patent: 5999530 (1999-12-01), LeMaire et al.
patent: 6009475 (1999-12-01), Shrader
patent: 6098172 (2000-08-01), Coss et al.
patent: 9233112 (1997-09-01), None
patent: 9321805 (1997-12-01), None
Anderson, M. et al.Delete Function for Package Files, IBM Technical Disclosure Bulletin, 11/91, p. 394-396.
Pilgrim, J. R. et al.Smart Compare Program for Verification of the 9370 Knowledge Base, IBM Technical Disclosure Bulletin, 12/89, p. 25-26.
Boden Edward B.
Brzozowski Wesley A.
Bullock Mark C.
Parks Scott B.
Williams Michael D.
Beckstrand Shelley M.
Dinh Dung C.
Edelman Bradley
International Business Machines - Corporation
LandOfFree
System and method for IP network address translation and IP... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for IP network address translation and IP..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for IP network address translation and IP... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2526681