Packet.School
HomeLevelsSandboxFreeAbout
XP0
L4 · Network Devices
Level 4
5 lessons
  • 01Hub vs Switch
  • 02Router
  • 03Build Network Topology
  • 04Firewall
  • 05Level 4 Quiz
Levels/L4 · Network Devices/Lesson 04
Lesson · 04

Firewall

A firewall inspects network traffic against a set of rules and decides allow or deny. It's the network's border gate: it decides who gets in and out.

Duration
3min
Level
L4
Type
Lesson
Progress
4/ 5

01What is a firewall?

code
Internet → [Firewall] → Internal network
              ↓
          Rules:
          ✓ Port 80  (HTTP)  → allow
          ✓ Port 443 (HTTPS) → allow
          ✗ Port 23  (Telnet) → deny

Every incoming and outgoing packet is compared against the rule list; the first matching rule wins.

02Firewall types

1. Packet filtering firewall

The simplest kind: looks only at IP addresses and port numbers. Fast, but blind to context.

2. Stateful firewall

Tracks connection state: it can ask "is this packet the reply to a conversation started from inside?" This is the modern default.

3. Application layer firewall

Operates at the application level; understands and analyzes HTTP or FTP content. The most detailed — and most expensive — inspection.

4. Next-Generation Firewall (NGFW)

Combines everything: stateful inspection + application awareness + intrusion prevention (IPS) + SSL inspection. The modern enterprise standard.

03Firewall rules

OrderSourceDestinationPortAction
1AnyWeb server80, 443Allow
2Admin PCAnyAnyAllow
3AnyAny22Deny
4AnyAnyAnyDeny

Rule logic:

  • Rules are evaluated top to bottom
  • The first match applies; nothing after it is read
  • The last line is always the safety net: deny all

04Software vs hardware firewall

FeatureSoftware firewallHardware firewall
WhereOn the deviceAt the network edge
ProtectsOne deviceThe whole network
ExampleWindows FirewallCisco ASA, Fortinet
ManagementEasyRequires expertise

They aren't rivals — they're layers: an enterprise network runs a hardware firewall at the border and a software firewall on every server.

05DMZ (Demilitarized Zone)

A buffer zone that isolates public-facing servers from the internal network:

code
Internet → [Firewall] → DMZ → [Firewall] → Internal network
                         ↓
                    Web server
                    Mail server

Servers in the DMZ are reachable from the internet, but even if compromised they can't cross into the internal network. Limiting a breach's blast radius matters as much as preventing it.

06Ports and typical decisions

PortServiceTypical decision
20-21FTPAllow, controlled
22SSHAdmin IPs only
23TelnetAlways deny (unencrypted!)
25SMTPMail server only
53DNSAllow
80 / 443HTTP / HTTPSAllow
3389RDPVPN only
Sandbox · ReferenceCheat SheetEvery common port and protocol in one table — keep it open while writing rules.Open tool

07Best practices

  1. Default deny — anything not explicitly allowed is blocked
  2. Least privilege — open only the ports genuinely needed
  3. Logging — record both allowed and denied traffic
  4. Regular review — prune rules nobody uses anymore
  5. Segmentation — divide the network, build a DMZ

08Summary

  • Firewall = rule-based traffic filtering
  • Rules run in order; first match wins, deny-all catches the rest
  • Stateful firewalls track connections; NGFW combines everything
  • A DMZ isolates public-facing servers from the internal network
Previous
Build Network Topology
Next
Level 4 Quiz
On this page
  • What is a firewall?
  • Firewall types
  • Firewall rules
  • Software vs hardware firewall
  • DMZ (Demilitarized Zone)
  • Ports and typical decisions
  • Best practices
  • Summary
Packet.School

An open, interactive curriculum for computer networking.

v3.0 · MIT22 lessons live

Learn

  • Lessons
  • Sandbox
  • Levels
  • Free
  • About

Simulations

  • Packet Journey
  • DNS Lookup
  • DHCP Simulator
  • Subnet Calc
  • Network Builder
  • Terminal

Project

  • About
  • Changelog
  • GitHub
  • Contributing
  • Style guide

Newsletter

One short email when a new level ships. No tracking pixels.

© 2026 Packet.School — MIT licensedSupport with a coffeebuilt in the open