Once upon a time, all firewalls were hand-constructed, perhaps from software obtained from various pioneers at DEC and TIS. For these early gateways, packet filtering was easy, but not very sophisticated, which meant that it was not very safe. There were no tools to keep track of TCP sessions at the packet level. (Two of us, Steve and Bill, designed a dynamic packet filter in September, 1992, based mostly on off-the-shelf components, but the implementation looked complex enough that it scared us off.)

Gateways back then were mostly at the application level. We built filters for FTP and SMTP access. Circuit gateways allowed modified clients to make connections to the Internet without IP connectivity—between intranet ...