My IP Help

Firewall

A network security device or software layer that filters incoming and outgoing traffic based on rules, blocking or allowing packets by source, destination, port, protocol, or content.

Last updated:

What is a firewall?

A firewall is a device or software layer that enforces a security policy on network traffic passing through it. It inspects each packet (or connection) against a list of rules and either permits, denies, or rejects the traffic. Firewalls are typically placed at network boundaries — between a home/office network and the internet, between a server and the public internet, or between isolated network segments inside an organization.

Every major operating system includes a built-in firewall (iptables/nftables on Linux, Windows Defender Firewall, pf on macOS and BSD), and every router sold to consumers has one too.

Types of firewall

Firewalls have evolved significantly over four generations:

  • Packet-filter firewalls — the original design, making decisions on a per-packet basis using 5-tuple rules (source IP, source port, destination IP, destination port, protocol). Stateless and fast.
  • Stateful firewalls — track connection state so reply traffic is automatically allowed without explicit rules. Modern baseline.
  • Application-layer (proxy) firewalls — understand the contents of HTTP, SMTP, and other protocols, not just the headers. Can block SQL injection, malware downloads, etc.
  • Next-generation firewalls (NGFW) — combine stateful filtering, deep packet inspection, IDS/IPS, TLS inspection, and threat intelligence feeds.

Common rule structures

A basic firewall rule looks like:

ACTION  PROTOCOL  SOURCE           DESTINATION       PORT
ALLOW   TCP       203.0.113.0/24   0.0.0.0/0         443
DENY    ALL       0.0.0.0/0        0.0.0.0/0         ANY

The principle of least privilege is the rule of thumb: start with a default-deny policy and add ALLOW rules only for the specific traffic you need. Most breaches involve services that were unintentionally exposed to the internet by overly broad firewall rules.

Testing firewall rules

Our port checker performs an external TCP probe to verify whether a rule is actually allowing or blocking traffic as intended, and our CIDR to IP range tool converts CIDR blocks into explicit start/end addresses for firewalls that don't natively support CIDR syntax.

Frequently Asked Questions

A firewall filters traffic at the network boundary based on rules (source/destination IP, port, protocol). Antivirus inspects files and processes already on the machine for known malicious patterns or suspicious behavior. They are complementary: a firewall blocks what shouldn't reach you, antivirus catches what slips through. Modern endpoint security suites bundle both with EDR (Endpoint Detection and Response) for behavior monitoring.
A NAT router gives you partial protection because unsolicited inbound connections have no internal IP to map to and get dropped. But NAT is not a security feature — it does not filter outbound connections, malware-initiated reverse tunnels, or traffic between devices on the same LAN. Most home routers include a stateful firewall on top of NAT, and every modern OS has its own host firewall, which catches threats that come in over allowed connections.
A stateless firewall evaluates each packet in isolation against a static rule list. A stateful firewall tracks active connections (the connection table) and automatically allows return traffic for sessions you initiated, without needing an explicit rule. Stateful is the modern baseline because writing stateless rules for two-way traffic is error-prone and has historically caused outages.
A firewall can mitigate small application-layer attacks by rate-limiting or blocking specific IPs, but it cannot stop a volumetric DDoS that saturates your upstream link — the bandwidth is consumed before the firewall ever sees the packets. Volumetric DDoS protection requires upstream scrubbing at an ISP or specialized provider (Cloudflare, AWS Shield, Akamai, Imperva) that has the capacity to absorb terabits of traffic.
A WAF is an application-layer firewall that inspects HTTP/HTTPS requests for attack patterns — SQL injection, cross-site scripting, command injection, path traversal, malicious bots — and blocks them before they reach the web app. Unlike a network firewall that filters by IP and port, a WAF understands HTTP request bodies, headers, and cookies. Modern WAFs (Cloudflare, AWS WAF, Akamai) also include bot management and rate limiting per route.
Back to glossary