In the absence of packet filtering capability, there are several alternatives, however none of them are as flexible or powerful as a packet-filtering router or host. [GS91] describes a method by which a dual-homed host, that is, a host with two interfaces used as a subnet gateway, can be used to block all TCP/IP traffic from entering or leaving the protected subnet. IP forwarding would be disabled at the host, and any users who might wish to telnet or otherwise access outside systems would log into the gateway itself. This arrangement is somewhat restrictive since it requires users to connect to the gateway before connecting inward or outward, however can be very secure and more cost-effective for small sites.
Another alternative is for all hosts to use third-party packages that provide access control to certain services. [Ven92] has created a ``TCP Wrapper'' package that is available via anonymous ftp and serves as a front-end to all services executed from the UNIX inetd daemon process, which include telnet, ftp, ``r'' services, and possibly SMTP. The front-end checks to determine whether the host requesting the connection is permitted and then either accepts or rejects the connection. The requesting host's address can be matched against a pattern.
The TCP Wrapper package does not protect other UDP-based services such as NIS, NFS, DNS, and so forth that are not invoked via the inetd daemon process. [LeF92] has created a package called ``Securelib'' for SunOS systems that can be used to provide access control to services mapped by the portmapper process. Using a similar method of pattern matching against the requesting host's address, a host can deny or accept requests to the portmapper. However, since the portmapper can be bypassed by determined crackers, this method does not provide the same degree of protection as does true packet-filtering capability. At the same time, the TCP Wrapper and Securelib packages provide a much higher level of security than default levels and would block casual attempts to exploit protocols.