What a firewall actually does

Topic: Networking basics

A firewall filters packets by rules (source, destination, port, protocol) and allows or drops them. It can be on the host (host firewall) or on a network device. Learn how allow and deny work, stateful vs stateless, and where to place rules so you can configure and debug access. Use this before opening or closing ports.

Intent: How-to

Quick answer

  • A firewall matches packets against rules (e.g. source IP, dest port, protocol) and takes an action: accept or drop. Rules are evaluated in order; the first match usually wins; a default policy (accept or drop) applies when no rule matches.
  • Stateful firewalls track connections (e.g. TCP handshake); you allow new outbound and allow established/related return traffic so you do not have to open ephemeral ports. Stateless firewalls treat each packet alone.
  • Host firewall: filters traffic to/from that host. Network firewall: between segments. Place rules where traffic passes (ingress and egress); deny by default and allow only what is needed.

Steps

  1. Understand rule matching

    Each rule has criteria (e.g. in interface, source IP, dest port, protocol) and an action (accept, drop, reject). The packet is compared to rules in order; the first matching rule's action is applied; if no rule matches, the default policy (e.g. drop) applies.

  2. Understand stateful vs stateless

    Stateful: the firewall tracks connections (e.g. TCP SYN starts a flow); a rule can allow 'established' and 'related' so return traffic is permitted without a separate rule for ephemeral ports. Stateless: each packet is independent; you must allow both directions explicitly if needed.

  3. Know where firewalls sit

    Host firewall: on the server or client; filters traffic to/from that machine. Network firewall: router or dedicated device between networks; filters traffic between segments. Both can be used together.

  4. Apply default-deny

    Prefer default policy drop (or deny); then add allow rules only for required traffic (e.g. SSH, HTTP). Reduces exposure; new services are blocked until you explicitly allow them.

Summary

A firewall filters packets using rules (matching on addresses, ports, protocol) and allows or drops them. Stateful firewalls track connections so return traffic can be allowed with “established/related.” Use default-deny and allow only what is needed. Use this when configuring or troubleshooting access.

Prerequisites

  • None; this is a foundation concept.

Steps

Step 1: Understand rule matching

Rules are evaluated in order. A packet is compared to each rule’s criteria (e.g. interface, source, destination, port, protocol). The first matching rule’s action (accept or drop) is applied. If no rule matches, the chain’s default policy (often drop) is used.

Step 2: Understand stateful vs stateless

  • Stateful: Tracks connections (e.g. TCP). You allow new outbound and allow established/related so replies are permitted without opening high ports.
  • Stateless: No connection tracking; each packet is independent. You may need separate rules for both directions.

Step 3: Know where firewalls sit

  • Host firewall: On the machine; filters traffic to and from that host.
  • Network firewall: Between networks; filters traffic between segments.

Step 4: Apply default-deny

Set the default policy to drop (or deny). Add explicit allow rules for required traffic (e.g. SSH, HTTP). New or unwanted traffic is blocked by default.

Verification

  • You can explain how a packet is matched to rules and what accept/drop do; you know why stateful “established” is useful and why default-deny is preferred.

Troubleshooting

Allowed traffic still blocked — Rule order may put a drop before your allow; move the allow earlier or refine the drop rule. Check that the rule matches the actual traffic (IP, port, interface).

Return traffic blocked — In stateful setups, allow established/related; in stateless, add an allow rule for the return direction or port range.

Next steps

Continue to