Packet Filtering on the Network Access Layer

Packet Filtering on the Network Access Layer
The first reason why packet filtering is not performed on the network
layer is that one would have to write different kinds of rules for the
different lower-level protocols on the different interfaces. This is
because most routers have multiple connections with several lowerlevel
protocols, and the headers are not identical for all of these
protocols. Secondly, using the headers on this level is not very useful,
since the source address specified is usually the last router (the last hop
in the whole connection) that has handled the packet.
Packet Filtering on the Application Layer
Since there are almost as many protocols as there are network-based
applications, it is not a realistic strategy to set up packet filtering rules
for each and every one of them. Dynamic filters can be set up to
recognize and assess specific information fields in a particular protocol,
but in the long term it is not a winning strategy. It is just too
cumbersome.