What Is a Firewall? Ports, Rules, and Traffic Filtering

Last updated: June 10, 2026

Every network needs a bouncer. Someone, or something, stands at the door, checks credentials, and decides who gets in. In networking, that bouncer is a firewall. It sits between your trusted internal network and the untrusted world outside. Every packet that tries to cross the boundary gets examined.

Maybe you are a home user with a broadband router. Maybe you manage hundreds of servers, or write AWS security groups. Either way, understanding firewalls and firewall rules is foundational knowledge. Firewalls appear on every major IT certification exam, including CompTIA Security+, Network+, and CCNA. They are the first line of defense in virtually every network architecture.

This guide covers what a firewall is and how firewalls work under the hood. It walks through the firewall types you will encounter and how to read and write rules. It also shows practical examples on Windows and Linux, and explains how firewalls fit alongside other security tools.

What Is a Firewall?

A firewall is a network security system that monitors and filters traffic between networks based on a set of rules. Every packet crossing the boundary must pass through it. Packets matching an allow rule pass. Packets matching a deny rule, or no rule at all, are blocked.

A firewall typically sits between a trusted internal network and an untrusted external network like the internet. The internal side usually runs on private IP addresses. The firewall enforces a set of rules, often called an access control list (ACL). Those rules determine which packets are permitted and which are blocked.

The mechanics are simple. Every packet entering or leaving the network passes through the firewall. The firewall compares each packet against its rules. A match on an “allow” rule lets the packet through. A match on a “deny” or “drop” rule, or no match at all, blocks it.

The term comes from building construction. A physical firewall is a barrier that stops fire from spreading between sections of a building. In networking, the barrier stops unauthorized traffic from spreading between network segments.

A Brief History

The first network firewalls appeared in the late 1980s as simple packet filters. A series of internet security breaches had demonstrated the need for perimeter defenses. These early firewalls operated at the network layer. They made pass/fail decisions using only header information: source address, destination address, and port number.

By the early 1990s, researchers at AT&T Bell Labs developed stateful inspection. A stateful firewall tracks active connections and filters based on context, not isolated packets. Today’s next-generation firewalls go further. They combine packet filtering, stateful inspection, deep packet inspection, intrusion prevention, and threat intelligence in a single platform.

How Firewalls Work

A firewall reads each packet’s header fields: source IP, destination IP, protocol, and port numbers. It compares them against its rule set from the top down, and the first match wins. The matching rule’s action is applied: allow, deny with a response, or silently drop.

Every packet carries metadata in its headers. That metadata includes the source and destination IP addresses, the protocol (TCP, UDP, ICMP), and both port numbers. The firewall reads these fields and makes one of three decisions:

• Allow. The packet matches a permit rule and is forwarded to its destination.
• Deny. The packet matches a deny rule and is blocked. The firewall sends a rejection back to the sender, such as a TCP RST or an ICMP “destination unreachable” message.
• Drop. The packet is silently discarded with no response. From the sender’s perspective, the packet vanishes and the connection times out. Dropping is generally preferred over denying because it reveals less to potential attackers.

Rule Processing Order

Firewall rules are processed top-down in the order they appear. The firewall checks each packet against Rule 1, then Rule 2, and so on. The moment a packet matches, that rule’s action is applied and evaluation stops. This is first-match-wins processing.

Rule order matters enormously. Place a broad “allow all” rule at the top and every deny rule below it becomes useless. No packet will ever reach them. Place a specific allow rule below a broad deny and it will never trigger. Always put the most specific rules at the top and the most general at the bottom.

Types of Firewalls

Firewalls range from stateless packet filters that check headers only, to stateful firewalls that track connections. Proxy firewalls go further and read application content. Next-generation firewalls combine all of these with intrusion prevention, application awareness, and threat intelligence in one platform.

Not all firewalls are created equal. The technology has evolved through several generations. Each generation added deeper inspection and greater context awareness. Here are the major types you will encounter.

Packet Filtering (Stateless) Firewalls

The simplest and oldest type examines each packet in isolation. It checks the header fields against its rules: source IP, destination IP, port, and protocol. It has no memory of previous packets. It cannot tell whether a packet belongs to an established connection or arrived unsolicited.

Stateless firewalls are fast and lightweight because per-packet processing is minimal. They are also limited. A stateless firewall cannot distinguish a legitimate response from an unsolicited inbound packet on the same port. That weakness exposes them to attacks like spoofed ACK packets.

Stateful Inspection Firewalls

A stateful firewall tracks active connections in a state table. When an internal device opens an outbound connection, the firewall records the details. Those details include source IP, destination IP, both ports, and the TCP session state (SYN_SENT, ESTABLISHED, and so on).

When response packets arrive, the firewall checks them against the state table. Packets belonging to a known, established connection pass without needing an explicit inbound rule. Packets matching no tracked session are blocked. This approach is far more secure because it understands the context of traffic, not just individual packets.

Application Layer / Proxy Firewalls

An application-layer firewall, also called a proxy firewall, operates at Layer 7 of the OSI model. It reads the actual content of application protocols like HTTP, FTP, DNS, and SMTP. The firewall acts as an intermediary. The client connects to the firewall, and the firewall opens a separate connection to the destination server.

This deep packet inspection catches threats that header-only firewalls miss. Examples include SQL injection hidden in HTTP requests, malicious FTP uploads, and suspicious DNS queries. The trade-off is performance. Inspecting application data costs far more CPU than checking headers.

Next-Generation Firewalls (NGFW)

Next-generation firewalls combine traditional capabilities with advanced security features in one device. A typical NGFW includes stateful inspection, deep packet inspection, and an intrusion prevention system (IPS). It adds application awareness, SSL/TLS inspection, sandboxing, and threat intelligence integration.

Application awareness means the NGFW identifies traffic by application, not just port number. It can distinguish legitimate web browsing on port 443 from a peer-to-peer app tunneling through the same port. Major NGFW vendors include Palo Alto Networks, Fortinet, Cisco, and Check Point.

Host-Based vs Network-Based Firewalls

Firewalls also differ by where they are deployed. A network-based firewall sits at the network perimeter. It is typically a hardware or virtual appliance between the internal network and the internet. All traffic in or out passes through it.

A host-based firewall runs on an individual device and filters that host’s traffic. Windows Firewall and Linux iptables/nftables are common examples. Host-based firewalls are essential for defense in depth. If an attacker breaches the network firewall, each host still has its own layer of protection.

Firewall Rules Explained

A firewall rule pairs match criteria with an action. The criteria are direction, source, destination, protocol, and port. The action is allow, deny, or drop. Rules are evaluated top to bottom with first match wins, and most rule sets end with an implicit deny.

A firewall rule tells the firewall what to do with a specific type of traffic. Every rule typically contains these components:

• Direction — inbound (incoming) or outbound (outgoing).
• Source — the IP address or range the traffic originates from.
• Destination — the IP address or range the traffic is headed to.
• Port — the port number or range associated with the traffic.
• Protocol — TCP, UDP, ICMP, or “any.”
• Action — allow, deny, or drop.

Example Rule Set

The table below shows a simplified rule set for a web server. Rules evaluate top to bottom. The first matching rule determines the action.

Rule 1 allows HTTPS from anywhere to the web server. Rule 2 does the same for HTTP. Rule 3 restricts SSH to the internal subnet 192.168.1.0/24. Rule 4 permits all outbound traffic from the server. Rule 5 is the implicit deny. It blocks everything that did not match an earlier rule. A “deny all” at the bottom is a security best practice and is the default in most platforms.

Ports and Firewalls

Firewall rules target port numbers because every network service listens on one. Allowing TCP 443 permits HTTPS traffic to a web server. The guiding principle is least privilege: open only required ports and restrict each to the narrowest possible source range.

Port numbers are central to how firewalls work. A rule that says “allow TCP port 443” permits packets whose TCP header carries destination port 443. Every listening service uses a specific port. Web servers, mail servers, databases, and remote access tools all have theirs. Firewall rules target those ports to control access to each service individually. For the full background, see common network ports explained.

Common Ports to Manage in Firewall Rules

The guiding principle is least privilege. Open only the ports your services actually need. Restrict access to the narrowest possible set of source addresses. Every open port is attack surface. Close ports for services you do not run. For services you do run, limit access to the specific IPs or subnets that require it. Look up any port in our Port Number Reference.

Firewalls in Practice

Every major platform ships a firewall. Windows includes Windows Firewall with Domain, Private, and Public profiles. Linux uses the netfilter framework through iptables or nftables. Cloud platforms use security groups. Home routers provide basic filtering plus NAT, which blocks unsolicited inbound traffic by default.

Theory matters, but configuring rules on real platforms is where the knowledge becomes practical. Here is how firewalls work on the most common platforms.

Windows Firewall

Windows includes a built-in host-based firewall, enabled by default. It was named Windows Defender Firewall in Windows 10 and early Windows 11 releases. Windows 11 24H2 returned to the simpler name Windows Firewall. It uses three profiles: Domain, Private, and Public. Each profile carries its own rule set.

Manage basic settings through the Windows Security app. For granular inbound and outbound rules, open Windows Firewall with Advanced Security (wf.msc). PowerShell offers the New-NetFirewallRule cmdlet for scripted management:

# Allow inbound HTTPS on Windows
New-NetFirewallRule -DisplayName "Allow HTTPS" `
  -Direction Inbound -Protocol TCP -LocalPort 443 `
  -Action Allow -Profile Any

Linux iptables and nftables

On Linux, the kernel’s netfilter framework handles packet filtering. The user-space tool is iptables, or its modern successor nftables. Most current distributions use nftables as the default backend, often behind front-ends like ufw or firewalld. The iptables syntax remains the most widely documented, and rules are organized into chains: INPUT, OUTPUT, and FORWARD.

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH from internal network
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS from anywhere
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Drop everything else
iptables -A INPUT -j DROP

Cloud Security Groups

In AWS, Azure, and Google Cloud, firewalls take the form of security groups and network ACLs. A security group is a virtual firewall for your instances. You define inbound and outbound rules specifying protocols, port ranges, and source or destination addresses. Cloud security groups are stateful by default. Allow an inbound rule and the response traffic is automatically permitted.

Home Router Firewalls

Most home routers include a basic network firewall with packet filtering and NAT. NAT itself acts as a de facto firewall. Unsolicited inbound traffic cannot reach internal devices unless a port-forwarding rule is configured. Your router’s admin interface, typically at 192.168.1.1 or 192.168.0.1, offers port forwarding, DMZ settings, and firewall toggles. For most home users, the defaults plus restraint with port forwarding are sufficient.

Firewall vs Other Security Tools

A firewall controls which network traffic passes. It does not scan file contents or catch every attack. Antivirus, IDS/IPS, and VPNs each cover different threat vectors. Defense in depth layers all of them, so a single failed control does not expose the system.

A firewall is critical, but it is not a silver bullet. Knowing what a firewall does not do helps you build a layered strategy. When rules block traffic unexpectedly, a systematic approach finds the layer at fault. Our guide on how to troubleshoot network connectivity walks through that method.

The takeaway: firewalls, antivirus, IDS/IPS, and VPNs address different threat vectors. A strong security posture uses defense in depth. Multiple overlapping layers ensure that one failed control does not expose the system. A firewall blocks unauthorized traffic at the perimeter and on hosts. It relies on other tools for threats arriving through allowed channels, like a malicious attachment on permitted SMTP traffic.

Related Tools & Resources

NetworkCheckr pairs this guide with free references and tools. Use the Port Number Reference to look up any port before writing a rule. The common ports guide and OSI model guide supply the background concepts. All tools run in your browser with no signup.

• Port Number Reference — look up any port before you write the rule.
• Common Network Ports Explained — what the most-targeted ports actually do.
• The OSI Model Explained — which layer each firewall type inspects.
• Public vs. Private IP Addresses — the addressing on each side of the firewall.
• How to Troubleshoot Network Connectivity — isolate whether the firewall is the blocker.
• My IP Address — see your public IP when writing source-restricted rules.
• All NetworkCheckr Tools — the complete collection of free utilities.

Frequently Asked Questions

Six questions cover the practical basics. The difference between a firewall and antivirus. Whether a router alone is enough protection. What implicit deny and stateful inspection mean. Whether you should block all incoming traffic. And which ports you should keep open.