防火墙使用下列三种方法之一或几种来控制进出网络的通信：

　　(1)数据包过滤：数据包(小块数据)由一组过滤器进行分析。能通过过滤器的数据包被发送到发出请求的系统，其它的被丢弃。

　　(2)代理服务：来自Internet的信息通过防火墙进行检索，然后发送到提出请求的系统，反之亦然。

　　(3) Stateful inspection: A newer method that doesn’t examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.

　　(3)状态检查：一种更新的方法，并不检查每个数据包的内容，而是将数据包的某个关键部分与一个可信的信息数据库比较。从防火墙内部传输到外部的信息可根据特别规定的特性进行监控，然后将输入信息与这些特性相比较，若生成一个合理的匹配，则信息允许通过，否则就丢弃。

　　The level of security you establish will determine how many of these threats can be stopped by your firewall. The highest level of security would be to simply block everything. Obviously that defeats the purpose of having an Internet connection. But a common rule of thumb[3 is to block everything, then begin to select what types of traffic you will allow. You can also restrict traffic that travels through the firewall so that only certain types of information, such as e-mail, can get through. For most of us, it is probably better to work with the defaults provides by the firewall developer unless there is a specific reason to change it.

　　你所设定的安全级别将决定这些威胁有多少能够被你的防火墙所阻止。最高安全级别就是阻断一切。很显然，这就失去了进行Internet连接的意义。但通常的经验做法是阻断一切，然后，开始选择你将允许什么类型的通信。你还可以限制通过防火墙的通信，以便只有几种信息通过，如电子邮件。对我们大多数人来说，除非有特殊的理由要改变它，否则最好在防火墙开发商提供的默认条件下工作。

　　One of the best things about a firewall from a security standpoint is that it stops anyone on the outside from logging onto a computer in your private network. While this is a big deal[4] for businesses, most home networks will probably not be threatened in this manner.

　　从安全的角度来看，防火墙的一个优点就是它能阻止任何外来人登录到专用网中的一台计算机上，这对企业很重要，大多数家庭网在这种方式下可以不受威胁。

[1]  [2]