Firewall
A firewall inspects network traffic against a set of rules and decides allow or deny. It's the network's border gate: it decides who gets in and out.
01What is a firewall?
Internet → [Firewall] → Internal network
↓
Rules:
✓ Port 80 (HTTP) → allow
✓ Port 443 (HTTPS) → allow
✗ Port 23 (Telnet) → deny
Every incoming and outgoing packet is compared against the rule list; the first matching rule wins.
02Firewall types
1. Packet filtering firewall
The simplest kind: looks only at IP addresses and port numbers. Fast, but blind to context.
2. Stateful firewall
Tracks connection state: it can ask "is this packet the reply to a conversation started from inside?" This is the modern default.
3. Application layer firewall
Operates at the application level; understands and analyzes HTTP or FTP content. The most detailed — and most expensive — inspection.
4. Next-Generation Firewall (NGFW)
Combines everything: stateful inspection + application awareness + intrusion prevention (IPS) + SSL inspection. The modern enterprise standard.
03Firewall rules
| Order | Source | Destination | Port | Action |
|---|---|---|---|---|
| 1 | Any | Web server | 80, 443 | Allow |
| 2 | Admin PC | Any | Any | Allow |
| 3 | Any | Any | 22 | Deny |
| 4 | Any | Any | Any | Deny |
Rule logic:
- Rules are evaluated top to bottom
- The first match applies; nothing after it is read
- The last line is always the safety net: deny all
04Software vs hardware firewall
| Feature | Software firewall | Hardware firewall |
|---|---|---|
| Where | On the device | At the network edge |
| Protects | One device | The whole network |
| Example | Windows Firewall | Cisco ASA, Fortinet |
| Management | Easy | Requires expertise |
They aren't rivals — they're layers: an enterprise network runs a hardware firewall at the border and a software firewall on every server.
05DMZ (Demilitarized Zone)
A buffer zone that isolates public-facing servers from the internal network:
Internet → [Firewall] → DMZ → [Firewall] → Internal network
↓
Web server
Mail server
Servers in the DMZ are reachable from the internet, but even if compromised they can't cross into the internal network. Limiting a breach's blast radius matters as much as preventing it.
06Ports and typical decisions
| Port | Service | Typical decision |
|---|---|---|
| 20-21 | FTP | Allow, controlled |
| 22 | SSH | Admin IPs only |
| 23 | Telnet | Always deny (unencrypted!) |
| 25 | SMTP | Mail server only |
| 53 | DNS | Allow |
| 80 / 443 | HTTP / HTTPS | Allow |
| 3389 | RDP | VPN only |
07Best practices
- Default deny — anything not explicitly allowed is blocked
- Least privilege — open only the ports genuinely needed
- Logging — record both allowed and denied traffic
- Regular review — prune rules nobody uses anymore
- Segmentation — divide the network, build a DMZ
08Summary
- Firewall = rule-based traffic filtering
- Rules run in order; first match wins, deny-all catches the rest
- Stateful firewalls track connections; NGFW combines everything
- A DMZ isolates public-facing servers from the internal network