A computer network firewall is a programmed processor, or a subsystem thereof, connected to a gateway or other network server, that monitors messages destined for a recipient within an internal network. A firewall blocks those messages that meet predetermined criteria, which may include specific packet source addresses or message content. In typical firewalls, connections between a sending client and a network recipient are accepted or rejected by comparing parameters of incoming TCP/IP packets to rules that determine whether a given transmission should be allowed or blocked. To determine if a specific message is a legitimate message or unwanted ‘spam’, including advertising, malicious bulk transmissions, and/or other unsolicited email, the network traffic must be analyzed and specific clients identified who are sending the unwanted messages.
Although presently existing firewall systems provide the basic capability of screening incoming messages, the systems' rules must be set up or programmed to detect specific clients whose messages are to be blocked or rejected. System administrators frequently spend a great deal of time not only analyzing logged information to discover which clients have been trying to overwhelm their system with incoming connection requests, but also configuring specific rules to limit the access of particular ‘spammers’ to their internal network.
Many existing firewalls are content-based, that is, they read or scan the actual messages themselves. Content-based message screening is costly from a computer resource standpoint, and also presents potential privacy problems. It is known that content-based firewalls often reject some legitimate messages. Although it is important that a firewall be able to detect as many unwanted messages as possible, it is equally, if not more important, that the firewall not block or reject legitimate email or other transmissions.
Furthermore, to administer a system which controls incoming TCP/IP connections, it is desirable to generate accurate reports describing incoming traffic from system clients and the number of connection attempts that are in excess of a predetermined connection limit. Previously known activity logging methods are inefficient. These methods include (1) keeping in-kernel memory tables, which are difficult to maintain because it if difficult to know when logging information about a specific incoming system is not necessary, and (2) logging each over-limit TCP/IP SYN (connection) packet, which generates an extremely large number of log messages.