networking security

Firewall

firewall network-security traffic-filtering infrastructure
Plain English

A firewall is a security guard for your network. It sits between your devices and the outside world, checking every piece of traffic against a list of rules you set. If the traffic matches an “allow” rule, it passes through. If it matches a “deny” rule, or no rule at all, it gets blocked. It is the most fundamental layer of network security.

Technical Definition

A firewall is a network security system that monitors and filters traffic between network segments based on a defined ruleset. Firewalls operate at different layers of the OSI model depending on their type:

  • Packet-filtering firewalls (Layer 3-4): inspect individual packets against rules based on source/destination IP, port, and protocol. Stateless; each packet is evaluated independently.
  • Stateful inspection firewalls (Layer 3-4): track the state of active connections (TCP handshake state, sequence numbers) and only allow packets that belong to established, legitimate sessions.
  • Next-Generation Firewalls (NGFW): combine stateful inspection with deep packet inspection (DPI), application-layer awareness, intrusion prevention (IPS), and TLS decryption.
  • Virtual firewalls (vFirewall): software-based firewalls deployed within hypervisors or cloud environments (e.g., AWS Security Groups, NSX Distributed Firewall).

Firewall rules are evaluated top-to-bottom with first-match semantics. A typical rule specifies: source IP/subnet, destination IP/subnet, protocol (TCP/UDP/ICMP), port range, and action (ALLOW/DENY/LOG). Most firewalls end with an implicit “deny all” rule.

Zone-based architectures define trust levels: untrusted (internet), DMZ (publicly accessible servers), and trusted (internal LAN). Traffic between zones passes through the firewall for inspection.

Untrusted (Internet)Inbound trafficMalicious + LegitFirewallRule evaluationALLOW 443/tcpALLOW 80/tcpDENY allTrusted (Internal LAN)Web ServerDatabaseWorkstationsBlockedStateful inspection at Layer 3-4 (IP, TCP/UDP ports)

iptables rules (Linux) 

# Allow established connections
$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH from management subnet
$ sudo iptables -A INPUT -p tcp --dport 22 -s 10.30.30.0/24 -j ACCEPT

# Allow HTTP/HTTPS from anywhere
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Deny everything else (implicit deny)
$ sudo iptables -A INPUT -j DROP

# View current rules
$ sudo iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target  prot  opt  source          destination
1    ACCEPT  all   --   0.0.0.0/0       0.0.0.0/0   state RELATED,ESTABLISHED
2    ACCEPT  tcp   --   10.30.30.0/24   0.0.0.0/0   tcp dpt:22
3    ACCEPT  tcp   --   0.0.0.0/0       0.0.0.0/0   tcp dpt:80
4    ACCEPT  tcp   --   0.0.0.0/0       0.0.0.0/0   tcp dpt:443
5    DROP    all   --   0.0.0.0/0       0.0.0.0/0
In the Wild

Firewalls are in every network, from a home router’s built-in firewall to enterprise perimeter appliances from Palo Alto, Fortinet, or Cisco. In cloud environments, AWS Security Groups and Azure NSGs act as virtual firewalls attached to instances and subnets. A common architecture places a firewall between the internet and a DMZ (where web servers live), and another between the DMZ and the internal network (where databases live). Firewall rule audits are a regular compliance requirement under PCI-DSS, HIPAA, and SOC 2. Misconfigured firewall rules (overly permissive “allow any any” entries) are one of the most common findings in penetration tests.

← Back to Dictionary