A firewall is your network's first line of defense. It monitors and controls incoming and outgoing network traffic based on predetermined security rules, acting as a barrier between your trusted internal network and untrusted external networks like the internet.
How Firewalls Work
Firewalls examine network packets (small chunks of data) and decide whether to allow or block them based on rules you define. Think of it as a security guard checking IDs at a building entrance.
Basic Firewall Operation
- Packet arrives: Data comes in from the network
- Inspection: Firewall examines packet headers (source, destination, port, protocol)
- Rule matching: Packet is compared against firewall rules
- Decision: Packet is allowed, blocked, or logged
Internet Traffic
│
▼
┌─────────────┐
│ FIREWALL │
│ │
│ Rules Check │
│ ┌───────┐ │
│ │Allow? │ │
│ └───┬───┘ │
└──────┼──────┘
│
┌───┴───┐
│ │
▼ ▼
Allow Block
│ │
▼ X
Internal
NetworkInbound rules control traffic coming into your network from the internet. Outbound rules control traffic leaving your network. Most home firewalls focus on inbound protection, while enterprise firewalls also heavily regulate outbound traffic.
Types of Firewalls
By Filtering Method
| Type | How It Works | Pros/Cons |
|---|---|---|
| Packet Filtering | Examines individual packets based on headers | Fast but basic; no context awareness |
| Stateful Inspection | Tracks connection state and context | More secure; understands sessions |
| Application Layer | Inspects actual application data | Deep inspection but slower |
| Next-Gen (NGFW) | Combines all methods + threat intelligence | Most comprehensive protection |
By Deployment
- Network Firewall: Protects entire network at the perimeter (hardware or software)
- Host-based Firewall: Runs on individual devices (Windows Firewall, iptables)
- Cloud Firewall: Firewall-as-a-service for cloud infrastructure
- Web Application Firewall (WAF): Specifically protects web applications
Stateful vs Stateless
The key difference between modern and legacy firewalls:
| Stateless (Packet Filtering) | Stateful |
|---|---|
| Each packet examined independently | Tracks entire connection state |
| No memory of previous packets | Remembers established connections |
| Can't detect session hijacking | Can identify suspicious behavior |
| Faster but less secure | Slightly slower but much more secure |
Firewall Rules
Firewall rules define what traffic is allowed or denied. Rules are processed in order, and the first matching rule wins.
Rule Components
- Source: Where traffic originates (IP address or range)
- Destination: Where traffic is going
- Port: Network port (e.g., 80 for HTTP, 443 for HTTPS)
- Protocol: TCP, UDP, ICMP, etc.
- Action: Allow, Deny, or Log
Example Rules
# Allow all outbound HTTPS traffic
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Allow inbound SSH only from specific IP
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
# Block all other inbound SSH
iptables -A INPUT -p tcp --dport 22 -j DROP
# Allow established connections (stateful)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default deny all inbound
iptables -P INPUT DROPThe most secure approach is "default deny" - block everything by default, then explicitly allow only what's needed. This is better than trying to block known bad things while allowing everything else.
Common Ports to Know
| Port | Service | Notes |
|---|---|---|
22 |
SSH | Secure shell - restrict to known IPs |
80 |
HTTP | Unencrypted web traffic |
443 |
HTTPS | Encrypted web traffic |
3389 |
RDP | Remote Desktop - major attack target |
3306 |
MySQL | Database - never expose publicly |
5432 |
PostgreSQL | Database - never expose publicly |
Best Practices
Configuration Guidelines
- Default deny: Start with blocking everything, then allow specific services
- Least privilege: Only open ports that are absolutely necessary
- Document rules: Keep track of why each rule exists
- Regular audits: Review rules periodically and remove unused ones
- Log everything: Enable logging for blocked traffic to detect attacks
- Test changes: Always test new rules in a non-production environment first
When configuring firewalls remotely (especially via SSH), always ensure you have an alternative way to access the system. A wrong rule can cut off your own access. Consider using a console connection or out-of-band management.
What Not To Do
- Don't disable the firewall because an app doesn't work - find the specific port needed
- Don't allow all traffic from "trusted" internal networks without verification
- Don't ignore outbound rules - malware often phones home
- Don't forget IPv6 - many firewalls have separate IPv4 and IPv6 rules
Home vs Enterprise Firewalls
Home Router Firewall
Your home router likely has a basic firewall built in:
- NAT: Network Address Translation hides internal IPs from the internet
- SPI: Stateful Packet Inspection blocks unsolicited inbound traffic
- Port forwarding: Allows specific inbound connections when needed
Recommended settings:
- Keep SPI firewall enabled (usually default)
- Disable UPnP if not needed (automatic port forwarding is risky)
- Disable remote management from WAN
- Only forward ports you actually use
Enterprise Firewall Features
Business-grade firewalls offer additional capabilities:
- VPN termination: Secure remote access for employees
- Intrusion Prevention (IPS): Actively blocks known attack patterns
- Deep packet inspection: Examines content, not just headers
- Application awareness: Controls based on application, not just port
- Threat intelligence: Real-time updates about new threats
- SSL inspection: Decrypts HTTPS to inspect contents