What Is a Firewall? Ports, Rules, and How Traffic Gets Filtered
TL;DR — Key Takeaways
- A firewall is a security device or software that monitors and controls incoming and outgoing network traffic based on a predefined set of rules.
- Firewalls inspect packet headers — looking at source/destination IP addresses, port numbers, and protocols — to decide whether to allow, deny, or drop traffic.
- Types range from simple packet-filtering firewalls (stateless, header-only checks) to next-generation firewalls that include intrusion prevention, application awareness, and threat intelligence.
- Firewall rules are processed top-down, first-match-wins — rule order matters, and most rule sets end with an implicit deny that blocks anything not explicitly allowed.
- Firewalls complement but do not replace other security tools like antivirus, IDS/IPS, and VPNs — defense in depth requires all of them working together.
- Every major platform offers built-in firewall capability: Windows Firewall, Linux iptables/nftables, cloud security groups, and home router firewalls.
Every network needs a bouncer. Someone — or something — standing at the door, checking credentials, and deciding who gets in and who gets turned away. In networking, that bouncer is a firewall. It sits between your trusted internal network and the untrusted world outside, examining every packet of data that tries to cross the boundary.
Whether you are a home user with a broadband router, a system administrator managing hundreds of servers, or a cloud engineer writing security groups in AWS, understanding what a firewall does and how firewall rules work is foundational knowledge. Firewalls appear on every major IT certification exam — CompTIA Security+, Network+, CCNA — and for good reason: they are the first line of defense in virtually every network architecture.
In this guide, we will cover what a firewall is, how firewalls work under the hood, the different types of firewalls you will encounter, and how to read and write firewall rules. We will also look at the relationship between firewall ports and rules, walk through practical examples on Windows and Linux, and clarify how firewalls fit alongside other security tools.
What Is a Firewall?
A firewall is a network security system that monitors and filters traffic flowing between two or more networks — typically between a trusted internal network (using private IP addresses) and an untrusted external network like the internet. The firewall enforces a set of rules (often called an access control list or ACL) that determine which packets are permitted to pass and which are blocked.
The concept is straightforward: every packet entering or leaving the network must pass through the firewall, and the firewall compares each packet against its rules. If the packet matches an “allow” rule, it passes through. If it matches a “deny” or “drop” rule — or matches no rule at all — the firewall blocks it.
The term “firewall” is borrowed from building construction, where a firewall is a physical barrier designed to prevent fire from spreading between sections of a building. In networking, the barrier prevents unauthorized traffic from spreading between network segments.
A Brief History
The first generation of network firewalls appeared in the late 1980s, emerging as simple packet filters after a series of internet security breaches demonstrated the need for perimeter defenses. These early firewalls operated at the network layer and made pass/fail decisions based solely on packet header information — source address, destination address, and port number. By the early 1990s, researchers at AT&T Bell Labs developed the concept of stateful inspection, which tracked the state of active connections and made filtering decisions based on context rather than individual packets in isolation. Today’s next-generation firewalls combine packet filtering, stateful inspection, deep packet inspection, intrusion prevention, and threat intelligence feeds into a single platform.
How Firewalls Work
At the most fundamental level, a firewall works by inspecting the headers of network packets and comparing them against its rule set. Every packet traveling across a network carries metadata in its headers: the source IP address, the destination IP address, the protocol (TCP, UDP, ICMP), and the source and destination port numbers. A firewall reads these fields and makes one of three decisions:
- Allow — The packet matches a permit rule and is forwarded to its destination.
- Deny — The packet matches a deny rule and is blocked. The firewall sends a rejection response (such as a TCP RST or an ICMP “destination unreachable” message) back to the sender.
- Drop — The packet is silently discarded with no response to the sender. From the sender’s perspective, the packet vanishes — the connection simply times out. Dropping is generally preferred over denying because it reveals less information to potential attackers.
Rule Processing Order
Firewall rules are processed top-down in the order they appear in the rule set. The firewall evaluates each incoming or outgoing packet against Rule 1 first, then Rule 2, then Rule 3, and so on. The moment a packet matches a rule, that rule’s action is applied and the firewall stops checking further rules. This is called first-match-wins processing.
Rule order matters enormously. If you place a broad “allow all” rule at the top of your rule set, every subsequent deny rule becomes useless — no packet will ever reach it. Conversely, placing a very specific allow rule below a broad deny rule means the allow rule will never trigger. When configuring firewall rules, always place the most specific rules at the top and the most general rules at the bottom.
Types of Firewalls
Not all firewalls are created equal. Over the decades, firewall technology has evolved through several generations, each adding deeper inspection capabilities and greater context awareness. Here are the major types of firewalls you will encounter.
Packet Filtering (Stateless) Firewalls
The simplest and oldest type, a packet-filtering firewall examines each packet in isolation. It checks the packet’s header — source IP, destination IP, port number, and protocol — and compares those values against its rules. It has no memory of previous packets and no understanding of whether a packet belongs to an established connection or is an entirely new request.
Stateless firewalls are fast and lightweight because they perform minimal processing per packet. However, they are also limited. A stateless firewall cannot distinguish between a legitimate response packet and an unsolicited inbound packet that happens to use the same port number. This makes them vulnerable to certain attacks, such as spoofed ACK packets.
Stateful Inspection Firewalls
A stateful firewall tracks the state of active network connections in a state table. When a device on the internal network initiates an outbound connection (for example, a TCP three-way handshake), the stateful firewall records the connection details: source IP, destination IP, source port, destination port, and the current state of the TCP session (SYN_SENT, ESTABLISHED, and so on).
When response packets arrive from the external network, the firewall checks them against its state table. If the incoming packet corresponds to a known, established connection, it is allowed through without needing an explicit inbound rule. If the packet does not match any tracked session, it is blocked. This approach is far more secure than stateless filtering because it understands the context of traffic, not just individual packets.
Application Layer / Proxy Firewalls
An application-layer firewall (also called a proxy firewall) operates at Layer 7 of the OSI model. Rather than simply inspecting packet headers, it can read and interpret the actual content of application-layer protocols like HTTP, FTP, DNS, and SMTP. The firewall acts as an intermediary — a proxy — between the client and the server. The client connects to the firewall, and the firewall opens a separate connection to the destination server on the client’s behalf.
This deep packet inspection capability enables application-layer firewalls to detect and block threats that lower-level firewalls miss: SQL injection attempts hidden in HTTP requests, malicious file uploads via FTP, or suspicious DNS queries. The trade-off is performance — inspecting application data is significantly more CPU-intensive than checking packet headers.
Next-Generation Firewalls (NGFW)
Next-generation firewalls combine traditional firewall capabilities with advanced security features in a single device. A typical NGFW includes stateful inspection, deep packet inspection, an intrusion prevention system (IPS), application awareness and control, SSL/TLS inspection, sandboxing for unknown files, and integration with external threat intelligence feeds.
Application awareness means the NGFW can identify and control traffic based on the specific application — not just the port number. For example, an NGFW can distinguish between legitimate web browsing on port 443 and a peer-to-peer application tunneling through the same port. Major NGFW vendors include Palo Alto Networks, Fortinet, Cisco, and Check Point.
Host-Based vs Network-Based Firewalls
Firewalls can also be categorized by where they are deployed. A network-based firewall (or network firewall) sits at the perimeter of a network — typically a hardware appliance or virtual appliance positioned between the internal network and the internet. All traffic entering or leaving the network passes through it.
A host-based firewall runs directly on an individual device and filters traffic to and from that specific host. Windows Defender Firewall and Linux iptables/nftables are common examples. Host-based firewalls are essential for defense in depth — even if an attacker breaches the network firewall, the host-based firewall on each server provides an additional layer of protection.
Firewall Rules Explained
A firewall rule is an instruction that tells the firewall what to do with a specific type of traffic. Every rule typically contains the following components:
- Direction — Inbound (incoming) or outbound (outgoing).
- Source — The IP address or range the traffic originates from.
- Destination — The IP address or range the traffic is headed to.
- Port — The port number (or range) associated with the traffic.
- Protocol — TCP, UDP, ICMP, or “any.”
- Action — Allow, deny, or drop.
Example Rule Set
The following table shows a simplified firewall rule set for a web server. Rules are evaluated top to bottom, and the first matching rule determines the action.
| # | Direction | Source | Destination | Protocol | Port | Action |
|---|---|---|---|---|---|---|
| 1 | Inbound | Any | 10.0.0.5 | TCP | 443 | Allow |
| 2 | Inbound | Any | 10.0.0.5 | TCP | 80 | Allow |
| 3 | Inbound | 192.168.1.0/24 | 10.0.0.5 | TCP | 22 | Allow |
| 4 | Outbound | 10.0.0.5 | Any | TCP | Any | Allow |
| 5 | Any | Any | Any | Any | Any | Deny |
Rule 1 allows HTTPS traffic from anywhere to the web server. Rule 2 does the same for HTTP. Rule 3 restricts SSH access to the internal subnet 192.168.1.0/24 only. Rule 4 permits all outbound traffic from the server. Rule 5 is the implicit deny — it blocks everything that did not match a previous rule. This “deny all” rule at the bottom is a security best practice and is included by default in most firewall platforms.
Ports and Firewalls
Port numbers are central to how firewalls work. When a firewall rule says “allow TCP port 443,” it is telling the firewall to permit packets whose TCP header contains a destination port value of 443. Every service that listens on a network — web servers, email servers, databases, remote access tools — does so on a specific port number, and firewall rules target those port numbers to control access to each service individually.
Common Ports to Manage in Firewall Rules
| Port | Protocol | Service | Typical Rule |
|---|---|---|---|
| 22 | TCP | SSH | Allow from trusted IPs only |
| 53 | TCP/UDP | DNS | Allow outbound; restrict inbound to DNS servers |
| 80 | TCP | HTTP | Allow inbound for web servers; redirect to 443 |
| 443 | TCP | HTTPS | Allow inbound for web servers |
| 3306 | TCP | MySQL | Allow from application servers only; never public |
| 3389 | TCP | RDP | Allow from trusted IPs only; block from internet |
| 445 | TCP | SMB | Block from internet; allow on internal LAN only |
The guiding principle for firewall port management is the principle of least privilege: only open the ports that are absolutely necessary for the services you need to run, and restrict access to the narrowest possible set of source addresses. Every open port is a potential attack surface. If a service is not needed, the port should be closed. If the service is needed, access should be limited to the specific IP addresses or subnets that require it.
Firewalls in Practice
Understanding firewall theory is important, but knowing how to configure firewall rules on actual platforms is where the knowledge becomes practical. Here is a brief look at how firewalls work on the most common platforms.
Windows Defender Firewall
Windows includes a built-in host-based firewall that is enabled by default. It uses three profiles — Domain, Private, and Public — each with its own set of rules. You can manage it through the Windows Security app for basic settings or through Windows Defender Firewall with Advanced Security (wf.msc) for granular inbound/outbound rule creation. PowerShell also provides the New-NetFirewallRule cmdlet for scripted rule management:
# Allow inbound HTTPS on Windows
New-NetFirewallRule -DisplayName "Allow HTTPS" `
-Direction Inbound -Protocol TCP -LocalPort 443 `
-Action Allow -Profile AnyLinux iptables and nftables
On Linux systems, the kernel’s netfilter framework handles packet filtering, and iptables (or its modern replacement, nftables) is the user-space tool for configuring rules. Rules are organized into chains — INPUT (incoming traffic to the host), OUTPUT (outgoing traffic from the host), and FORWARD (traffic routed through the host). A basic iptables configuration for a web server might look like this:
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from internal network
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
# Allow HTTP and HTTPS from anywhere
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Drop everything else
iptables -A INPUT -j DROPCloud Security Groups
In cloud environments like AWS, Azure, and Google Cloud, firewalls take the form of security groups and network ACLs. A security group acts as a virtual firewall for your cloud instances — you define inbound and outbound rules specifying the allowed protocols, port ranges, and source/destination IP addresses or security group IDs. Cloud security groups are stateful by default: if you allow an inbound rule, the corresponding outbound response traffic is automatically permitted.
Home Router Firewalls
Most home routers include a built-in network firewall that provides basic packet filtering and NAT (Network Address Translation). NAT itself acts as a de facto firewall because unsolicited inbound traffic from the internet cannot reach devices on the internal network unless a port-forwarding rule is explicitly configured. If you access your router’s admin interface (typically at 192.168.1.1 or 192.168.0.1), you will usually find options for port forwarding, DMZ configuration, and basic firewall toggles. For most home users, keeping the default firewall enabled and avoiding unnecessary port-forwarding rules is sufficient.
Firewall vs Other Security Tools
A firewall is a critical component of network security, but it is not a silver bullet. Understanding what a firewall does — and what it does not do — helps you build a layered security strategy. When firewall rules are blocking traffic unexpectedly, a systematic troubleshooting approach can help you identify whether the issue is at the firewall, the network, or the application level.
| Tool | What It Does | How It Differs from a Firewall |
|---|---|---|
| Antivirus | Scans files and processes for known malware signatures and suspicious behavior | Operates at the host level on file content; a firewall operates on network traffic. A firewall cannot detect a virus inside an allowed HTTPS download. |
| IDS/IPS | Detects (IDS) or detects and blocks (IPS) suspicious network activity using signatures and anomaly detection | An IDS/IPS analyzes traffic patterns and payloads for known attack signatures; a basic firewall only checks headers. NGFWs often include built-in IPS. |
| VPN | Encrypts traffic between two endpoints to create a secure tunnel over an untrusted network | A VPN protects data in transit through encryption; a firewall controls which traffic is permitted. They complement each other — VPN traffic still passes through firewalls. |
The takeaway: firewalls, antivirus, IDS/IPS, and VPNs each address different threat vectors. A robust security posture uses defense in depth — multiple overlapping layers of security so that if one control fails, others continue to protect the system. A firewall blocks unauthorized traffic at the network perimeter and on individual hosts, but it relies on other tools to catch threats that arrive through allowed channels, like a malicious email attachment that enters via permitted SMTP traffic on port 25.
Frequently Asked Questions
What is the difference between a firewall and antivirus?
A firewall controls network traffic — it decides which packets are allowed to enter or leave a network based on rules involving IP addresses, ports, and protocols. Antivirus software operates at the host level, scanning files, downloads, and running processes for known malware signatures and suspicious behavior. A firewall might block an attacker from connecting to your system, while antivirus catches malware that arrives through an allowed connection (like an email attachment). You need both for comprehensive protection.
Do I need a firewall if I have a router?
Your router likely includes a basic firewall through NAT, which prevents unsolicited inbound traffic from reaching your devices. However, a router’s built-in firewall is relatively simple — it does not inspect application-layer traffic, detect intrusions, or provide granular rule management. For most home users, the router firewall combined with the operating system’s host-based firewall (like Windows Defender Firewall) provides adequate protection. For businesses, a dedicated network firewall or NGFW is strongly recommended.
What is an implicit deny rule?
An implicit deny is a default rule at the bottom of a firewall’s rule set that blocks all traffic not explicitly permitted by a preceding rule. It operates on the principle of “deny everything unless specifically allowed.” Most enterprise firewalls and cloud security platforms include an implicit deny by default. This is a fundamental security best practice because it ensures that only traffic you have consciously approved can pass through the firewall.
What is a stateful firewall?
A stateful firewall keeps track of active network connections in a state table. Instead of evaluating each packet in isolation (as a stateless firewall does), it understands which packets belong to an established, legitimate session. When an internal host initiates a connection, the stateful firewall records the session details and automatically allows response packets that belong to that session. This makes stateful firewalls significantly more secure than stateless packet filters because they can distinguish between legitimate return traffic and unsolicited inbound packets.
Should I block all incoming traffic?
Blocking all unsolicited incoming traffic is a reasonable starting point for most devices, especially workstations and personal computers. This is essentially what an implicit deny rule does. However, you will need to allow incoming traffic for any service you are intentionally hosting — a web server needs ports 80 and 443 open, an SSH server needs port 22, and so on. The principle of least privilege applies: start with everything blocked, then open only the specific ports required for your services, restricted to the narrowest possible set of source addresses.
What ports should I keep open?
The ports you keep open depend entirely on the services you need to run. For a typical web server, that means ports 80 (HTTP) and 443 (HTTPS). For remote management, you might open port 22 (SSH) from specific trusted IP addresses. For a DNS server, port 53 is required. As a general rule, keep as few ports open as possible, restrict access by source IP whenever practical, and regularly audit your open ports to close any that are no longer needed. Use our port number reference to look up which ports correspond to which services.
References
- NIST Special Publication 800-41 Rev. 1 — Guidelines on Firewalls and Firewall Policy — csrc.nist.gov
- Cisco — What Is a Firewall? — cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html
- CompTIA Security+ Study Guide — Firewall Types and Configuration — comptia.org
- Palo Alto Networks — What Is a Next-Generation Firewall (NGFW)? — paloaltonetworks.com
- Microsoft Learn — Windows Defender Firewall with Advanced Security — learn.microsoft.com