Firewall: What It Is and How It Works
A firewall is a security system that controls network traffic based on predefined rules.
Firewall
A firewall is a security system that monitors and controls network traffic based on a set of rules. It acts as a barrier between trusted internal networks and untrusted external ones, deciding which connections to allow and which to block. Firewalls are one of the most fundamental components of network security and are present in everything from home routers to enterprise data centres.
What Is a Firewall
A firewall is a network security device or software application that inspects incoming and outgoing traffic and enforces a defined set of rules to determine what is allowed to pass and what is blocked. Every packet entering or leaving a network passes through the firewall, which evaluates it against its ruleset and either permits it, drops it silently, or rejects it with an error response.
The term comes from the physical concept of a firewall in construction, a barrier designed to prevent fire from spreading from one area to another. In networking, it serves the same conceptual purpose: containing threats and preventing them from spreading from one part of a network to another, or from the public internet into a private network.
Firewalls can be implemented as dedicated hardware appliances, as software running on general-purpose servers, or as a combination of both. Modern operating systems include built-in software firewalls. Cloud platforms provide virtual firewalls called security groups or network access control lists. Enterprise networks use purpose-built hardware firewalls capable of inspecting traffic at very high throughput. Despite the variety of implementations, they all share the same fundamental purpose: enforcing access control on network traffic according to a policy.
How a Firewall Works
A firewall processes network traffic by comparing each packet or connection against an ordered list of rules. Rules typically specify conditions based on source IP address, destination IP address, port number, protocol, and direction of traffic. When a packet matches a rule, the firewall applies the action defined in that rule and stops evaluating further rules. If no rule matches, the firewall applies a default action, which in a secure configuration is to block the traffic.
- A packet arrives at the firewall, either inbound from the internet or outbound from the internal network
- The firewall extracts relevant information from the packet header, including the source IP, destination IP, source port, destination port, and protocol
- The firewall compares this information against its ordered ruleset from top to bottom
- The first rule that matches the packet's attributes is applied
- If the matching rule says allow, the packet is forwarded to its destination
- If the matching rule says deny or drop, the packet is either rejected with an error or silently discarded
- If no rule matches, the default policy is applied, typically a deny-all rule that blocks the packet
- For stateful firewalls, the connection is recorded in a state table so that subsequent packets belonging to the same connection are handled automatically
The order of rules matters significantly. A firewall evaluates rules sequentially and applies the first match it finds. Placing a broad allow rule before a more specific deny rule can inadvertently permit traffic that was intended to be blocked. Well-designed firewall rulesets are ordered from most specific to least specific, with the default deny rule at the bottom as a catch-all.
Types of Firewalls
Firewalls have evolved considerably since their introduction in the late 1980s. Each generation added new capabilities to inspect traffic at deeper levels and make more intelligent decisions about what to allow. Understanding the different types helps when choosing the right level of protection for a given environment.
| Type | How It Works | Strengths | Limitations |
|---|---|---|---|
| Packet Filtering | Inspects individual packets based on IP address, port, and protocol without tracking connection state | Fast and lightweight with minimal overhead | Cannot detect attacks that span multiple packets or use stateful manipulation |
| Stateful Inspection | Tracks the state of active connections and allows return traffic for established sessions automatically | More secure than packet filtering, understands connection context | Does not inspect the content of packets, only their headers and state |
| Application Layer (Proxy) | Operates at the application layer, understanding specific protocols like HTTP and DNS to make more informed decisions | Can inspect content, detect protocol abuse, and enforce application-level policies | Higher processing overhead, potential latency, requires protocol-specific support |
| Next-Generation Firewall (NGFW) | Combines stateful inspection with deep packet inspection, intrusion prevention, application awareness, and user identity integration | Comprehensive visibility and control over modern traffic patterns | Expensive, complex to configure, requires ongoing management |
| Web Application Firewall (WAF) | Specifically designed to protect web applications by inspecting HTTP and HTTPS traffic for attacks like SQL injection and XSS | Purpose-built for web application threats, understands HTTP semantics | Only covers web traffic, not a replacement for a network firewall |
| Cloud Firewall | Virtualised firewall service provided by cloud platforms to control traffic between cloud resources using security groups and access control lists | Scales automatically, no hardware to manage, integrates with cloud infrastructure | Capabilities vary by provider, may not match on-premise firewall depth |
Stateful vs Stateless Firewalls
The distinction between stateful and stateless firewalls is one of the most important concepts in firewall design. A stateless firewall, also called a packet filter, evaluates each packet in isolation without any memory of previous packets. It applies its rules purely based on the information contained in that single packet's headers. This approach is fast and simple but has significant limitations.
Consider a client making an outbound HTTP request. The client sends a packet to port 80 on the server, and the server responds with a packet from port 80 back to the client's ephemeral port. A stateless firewall needs an explicit rule to allow this inbound response packet, even though it is clearly part of a connection the client initiated. Without that rule, the response is blocked. This forces administrators to write broad inbound rules that accept traffic on high port numbers, creating a larger attack surface than necessary.
A stateful firewall solves this by maintaining a state table that records every active connection, including the source and destination addresses, ports, protocol, and current connection state. When a client initiates an outbound connection, the firewall records it. When the response arrives, the firewall recognises it as belonging to an established connection and allows it automatically, without requiring any explicit inbound rule. This makes stateful firewalls significantly more secure than stateless ones without requiring more complex rule configurations.
| Feature | Stateless Firewall | Stateful Firewall |
|---|---|---|
| Connection awareness | None, each packet evaluated independently | Tracks full connection state in a state table |
| Return traffic handling | Requires explicit rules to allow response packets | Automatically allows return traffic for established sessions |
| Performance | Very fast, minimal memory usage | Slightly more overhead due to state table maintenance |
| Security | More vulnerable to spoofed or fragmented packet attacks | Can detect and block out-of-state packets and certain attacks |
| Rule complexity | Requires more rules to handle bidirectional traffic | Simpler rules because return traffic is handled implicitly |
| Common use | Simple ACLs on routers, basic network edge filtering | Most modern firewalls and security appliances |
Firewall Rules and Policies
A firewall's effectiveness is entirely determined by the quality of its ruleset. A misconfigured firewall that allows too much traffic provides little real protection. A misconfigured firewall that blocks too much makes legitimate services inaccessible. Writing good firewall rules requires a clear understanding of what traffic your network needs to send and receive and a principle of denying everything else by default.
The principle of least privilege applies directly to firewall rules. Each rule should allow only the minimum traffic necessary for a specific legitimate purpose. Rather than allowing all inbound traffic on port 443 from any source, a rule might restrict it further to specific source IP ranges if the service is not meant to be publicly accessible. Rather than allowing a server to make outbound connections to any destination, rules should restrict outbound traffic to only the external services the server genuinely needs to reach.
Rule 1: ALLOW inbound TCP any → port 443 # Allow HTTPS from anywhere
Rule 2: ALLOW inbound TCP any → port 80 # Allow HTTP from anywhere
Rule 3: ALLOW inbound TCP 10.0.0.0/8 → port 22 # Allow SSH from internal only
Rule 4: DENY inbound TCP any → port 3306 # Block MySQL from public internet
Rule 5: ALLOW outbound TCP any → port 443 # Allow outbound HTTPS
Rule 6: ALLOW outbound UDP any → port 53 # Allow outbound DNS
Rule 7: DENY any any any → any # Default deny all other trafficIn this example, the rules are ordered from most specific allowed traffic down to the default deny. Port 22 for SSH is restricted to internal IP ranges only, preventing anyone on the public internet from attempting to log in. Port 3306 for MySQL is explicitly blocked from external access regardless of what other rules exist. The default deny at the bottom ensures that any traffic not explicitly permitted is blocked automatically.
Network Firewalls vs Host-Based Firewalls
Firewalls operate at two distinct levels in a network architecture. A network firewall sits at the boundary between networks and controls traffic flowing between them, such as between the internet and a private network or between different network segments within an organisation. A host-based firewall runs directly on an individual device and controls traffic entering and leaving that specific machine.
Network firewalls provide perimeter defence. They protect all devices behind them from external threats without requiring any configuration on individual machines. However, they do not protect against threats that originate from inside the same network segment. If one machine within the network is compromised, it can communicate freely with other machines on the same segment because their traffic never passes through the perimeter firewall.
Host-based firewalls address this gap. By running a firewall on each individual machine, traffic between machines on the same network segment is also subject to inspection and control. This is particularly important in cloud environments and zero-trust security architectures where the assumption is that no part of the network is inherently trusted, even internal traffic. Most modern operating systems include built-in host firewalls. Windows Firewall, iptables and nftables on Linux, and pf on macOS and BSD systems are all examples.
Firewalls in Cloud Environments
Cloud platforms implement firewall concepts through virtualised constructs that integrate directly with their infrastructure. On AWS, security groups act as stateful firewalls attached to individual instances or services, controlling inbound and outbound traffic with rules based on IP ranges, protocols, and ports. Network Access Control Lists (NACLs) provide stateless filtering at the subnet level. Together they create layered access control without requiring any physical hardware.
Cloud firewalls differ from traditional hardware firewalls in several important ways. They are defined entirely through configuration files or API calls, making them easy to version-control and deploy through infrastructure-as-code tools like Terraform. They scale automatically with the resources they protect. They can be applied consistently across hundreds or thousands of instances simultaneously. However, they also require careful management to avoid rule sprawl, where accumulated legacy rules make it difficult to understand the actual access policy in effect.
Common Firewall Mistakes
Even well-intentioned firewall configurations frequently contain mistakes that undermine security. Awareness of the most common errors makes it easier to avoid them when designing or auditing a ruleset.
- Allowing too-broad inbound rules: Rules that permit all traffic on a port from any source expose services to the entire internet. Services intended only for internal or specific external access should have source restrictions applied.
- Leaving default credentials on firewall management interfaces: The firewall management console is itself a high-value target. Weak or default credentials on the admin interface can lead to complete compromise of the firewall ruleset.
- Not applying egress filtering: Many firewalls focus entirely on inbound traffic and leave outbound traffic unrestricted. Attackers who compromise an internal machine can exfiltrate data or establish outbound command-and-control connections unless egress rules are enforced.
- Accumulating stale rules: Rules added for temporary purposes are often never removed. Over time, the ruleset accumulates permissions that no longer serve any legitimate purpose and silently expand the attack surface.
- Relying solely on the firewall for security: A firewall is one layer of defence, not a complete security solution. It does not protect against application-layer vulnerabilities, compromised credentials, or threats introduced through email attachments and downloads.
- Not logging blocked traffic: Dropped packets contain valuable security intelligence. Without logging, there is no visibility into what is being blocked, making it impossible to detect attack patterns or identify misconfigured legitimate traffic.
Frequently Asked Questions
- What is the difference between a firewall and an antivirus?
A firewall controls network traffic based on rules about where data is coming from and going to. It operates at the network level and makes decisions based on IP addresses, ports, and protocols. An antivirus scans files and processes on a device for known malicious patterns and behaviours. They protect against different types of threats and complement each other. A firewall prevents unauthorised network access. An antivirus catches malware that gets through by other means such as email attachments or downloaded files. - Can a firewall block HTTPS traffic?
A standard network firewall can block HTTPS traffic entirely by blocking TCP port 443, but it cannot inspect the content of HTTPS connections without performing SSL inspection, because the content is encrypted. A next-generation firewall with SSL inspection capability can decrypt, inspect, and re-encrypt HTTPS traffic, allowing it to enforce content policies even on encrypted connections. This requires the firewall's certificate to be trusted by client devices, which is typically managed through group policy on corporate networks. - What is the difference between a firewall and a router?
A router's primary job is to forward packets between networks based on destination IP addresses. A firewall's primary job is to enforce access control policies on traffic. Home routers typically include basic firewall functionality such as NAT and simple packet filtering built in, which is why people often treat them as the same thing. In enterprise environments, routers and firewalls are usually separate devices with distinct roles, though next-generation firewalls often incorporate some routing capabilities as well. - What does it mean to be behind a firewall?
Being behind a firewall means your device or network is protected by a firewall that controls what external traffic can reach you. In a home network, all devices are behind the router's built-in firewall, which blocks unsolicited inbound connections from the internet while allowing traffic initiated from inside the network to flow freely. In a corporate network, being behind a firewall means your traffic is subject to the organisation's access control and monitoring policies. - Is a firewall enough to secure a network?
No. A firewall is an important and necessary layer of security, but it is not sufficient on its own. It protects against network-level threats but does not address application vulnerabilities, weak passwords, social engineering, insider threats, or malware introduced through legitimate channels like email and web browsing. A complete security posture combines firewalls with intrusion detection systems, endpoint protection, security patching, access control policies, user training, and regular security audits. - What is a DMZ in the context of firewalls?
A DMZ, or demilitarised zone, is a network segment that sits between the public internet and a private internal network, separated from both by firewalls. Servers that need to be publicly accessible, such as web servers and email servers, are placed in the DMZ. Traffic from the internet can reach DMZ servers, but DMZ servers cannot freely access the internal private network. This limits the damage if a publicly accessible server is compromised, because the attacker gains access to the DMZ but faces another firewall barrier before reaching internal systems.
Conclusion
Firewalls are a foundational component of network security that every networked system depends on, from home routers to cloud infrastructure. By inspecting traffic against a defined ruleset and enforcing a default-deny policy, firewalls dramatically reduce the attack surface exposed to the public internet and limit the movement of threats that do get inside the network perimeter. Understanding the difference between stateful and stateless firewalls, how rules are evaluated, where network and host-based firewalls fit in a layered security strategy, and the common mistakes that undermine firewall effectiveness gives you the knowledge to configure and reason about firewall policies with confidence. To go deeper, explore Network Address Translation, proxy servers, ports and sockets, and HTTP vs HTTPS.