Firewalls filter network traffic based on rules, controlling what enters and exits a network or host. They operate primarily at Layer 3 (IP) and Layer 4 (TCP/UDP).
Types of Firewalls
| Type | Description | Example |
|---|---|---|
| Packet filter | Stateless, examines individual packets | Basic ACLs |
| Stateful | Tracks connection state | iptables, pf |
| Application (L7) | Inspects application data | WAF, next-gen firewalls |
| Host-based | Runs on individual hosts | iptables, Windows Firewall |
| Network-based | Dedicated appliance/device | pfSense, Cisco ASA |
Stateful vs Stateless
- Stateless: Each packet evaluated independently. Must explicitly allow both directions.
- Stateful: Tracks connections. Return traffic automatically allowed for established connections.
Linux Firewalls
- iptables - Traditional Linux firewall, widely documented
- nftables - Modern replacement for iptables, cleaner syntax
- UFW - Simplified frontend for iptables (Ubuntu/Debian)
- firewalld - Zone-based frontend (RHEL/Fedora)
iptables Chains
- INPUT - Incoming traffic destined for host
- OUTPUT - Outgoing traffic from host
- FORWARD - Traffic passing through (routing)
macOS/BSD: pf (Packet Filter)
OpenBSD’s packet filter, also used on macOS and FreeBSD.
Common Firewall Rules Pattern
- Default deny incoming
- Allow all outgoing
- Allow established/related incoming (stateful)
- Allow loopback
- Allow ICMP (optional)
- Allow specific services (SSH, HTTP, etc.)
- Log dropped packets
Security Best Practices
- Default deny - Block everything, allow only what’s needed
- Principle of least privilege - Minimal necessary access
- Limit SSH access - Restrict by IP or use fail2ban
- Rate limiting - Prevent brute force and DDoS
- Log and monitor - Track blocked traffic
- Keep rules simple - Complex rules lead to mistakes
- Regular audits - Review and clean up rules