Firewalls

Reference notes.

Firewalls filter network traffic based on rules, controlling what enters and exits a network or host. They operate primarily at Layer 3 (IP) and Layer 4 (TCP/UDP).

Types of Firewalls

Type	Description	Example
Packet filter	Stateless, examines individual packets	Basic ACLs
Stateful	Tracks connection state	iptables, pf
Application (L7)	Inspects application data	WAF, next-gen firewalls
Host-based	Runs on individual hosts	iptables, Windows Firewall
Network-based	Dedicated appliance/device	pfSense, Cisco ASA

Stateful vs Stateless

• Stateless: Each packet evaluated independently. Must explicitly allow both directions.
• Stateful: Tracks connections. Return traffic automatically allowed for established connections.

Linux Firewalls

• nftables - The standard Linux firewall framework, replacing iptables. Cleaner syntax, better performance, unified IPv4/IPv6 handling. Default on Debian 10+, RHEL 9+, and most modern distributions.
• iptables - Legacy firewall, still widely documented. Modern distributions provide iptables as a compatibility wrapper (iptables-nft) that translates rules to nftables under the hood.
• UFW - Simplified frontend for iptables/nftables (Ubuntu/Debian)
• firewalld - Zone-based frontend, uses nftables backend by default (RHEL/Fedora)

iptables Chains

• INPUT - Incoming traffic destined for host
• OUTPUT - Outgoing traffic from host
• FORWARD - Traffic passing through (routing)

macOS/BSD: pf (Packet Filter)

OpenBSD’s packet filter, also used on macOS and FreeBSD.

Common Firewall Rules Pattern

1. Default deny incoming
2. Allow all outgoing
3. Allow established/related incoming (stateful)
4. Allow loopback
5. Allow ICMP (optional)
6. Allow specific services (SSH, HTTP, etc.)
7. Log dropped packets

Security Best Practices

• Default deny - Block everything, allow only what’s needed
• Principle of least privilege - Minimal necessary access
• Limit SSH access - Restrict by IP or use fail2ban
• Rate limiting - Prevent brute force and DDoS
• Log and monitor - Track blocked traffic
• Keep rules simple - Complex rules lead to mistakes
• Regular audits - Review and clean up rules

eBPF and XDP

eBPF (extended Berkeley Packet Filter) enables programmable packet processing in the Linux kernel without modifying kernel code. XDP (eXpress Data Path) uses eBPF to process packets at the earliest possible point in the network stack, achieving near-hardware speeds.

• Cilium - eBPF-based networking, security, and observability for Kubernetes. Replaces traditional iptables-based kube-proxy with eBPF programs.
• XDP firewalling - Process and filter packets before they reach the normal network stack, enabling high-performance DDoS mitigation.
• Cloudflare, Meta, and others use eBPF/XDP heavily for DDoS protection and load balancing at scale.

Cloud-Native Firewalls

• Security groups - AWS, Azure, GCP all provide stateful virtual firewalls attached to instances/VMs
• Network policies - Kubernetes-native L3/L4 rules (enforced by CNI plugins like Cilium or Calico)
• Service meshes - mTLS and L7 policy enforcement (Istio, Linkerd)
• WAF-as-a-service - Cloudflare, AWS WAF, etc. for L7 filtering

See Also

• Container Networking — Kubernetes NetworkPolicies and Cilium eBPF policy
• Load Balancing — eBPF/XDP underlies both modern firewalls and L4 load balancers
• VPNs — Often deployed behind or alongside the firewall
• Network Troubleshooting — Diagnosing dropped or blocked traffic

References

• nftables Wiki
• iptables Tutorial
• PF User’s Guide (OpenBSD)
• Cilium Documentation