The plain definition
A firewall is a system — software, hardware, or both — that sits between two networks (or between a device and the network) and inspects the traffic crossing the boundary. For each packet or connection it consults a set of rules and makes a binary decision: allow or block. The rules match on the properties a firewall can see: the source and destination IP address, the source and destination port, the protocol (TCP, UDP, ICMP, and so on), and — in modern firewalls — the state of the connection. That is the whole idea; everything else is detail about how thoroughly a firewall inspects, and where it sits.
The types and generations of firewall
Firewalls are usually described by how deeply they inspect traffic — not competing products so much as successive layers of capability, where a modern firewall generally does all the earlier things plus more.
Packet filtering (stateless)
The oldest and simplest kind. A stateless packet filter looks at each packet in isolation and compares its header fields — source and destination IP, source and destination port, protocol — against a rule list. If a rule matches, it applies that verdict; otherwise the default policy decides. Because it keeps no memory of previous packets, it cannot tell a reply to a connection you started from a packet arriving out of the blue. That makes it fast and cheap, but blunt: to allow replies to your outbound web requests you would have to permit broad inbound port ranges — exactly the kind of hole you want to avoid.
Stateful inspection
The improvement that made firewalls genuinely usable. A stateful firewall keeps a state table of active connections. When your laptop opens a TCP connection to a web server, the firewall records that flow — the addresses, ports, and connection state — and then automatically permits the return packets that match it, dropping unsolicited inbound packets that match no entry. You no longer need a rule for the replies; the firewall infers them from the connection you started. Stateful inspection is the baseline for essentially every firewall in use today, from the one in your operating system to enterprise appliances.
Application-layer and next-generation firewalls
Packet filters and stateful firewalls mostly work at the network and transport layers — they care about addresses, ports, and connection state, not about what the traffic actually is. An application-layer firewall (or proxy firewall) understands specific protocols, so it can reason about the content of a request rather than just its envelope. A next-generation firewall (NGFW) bundles this with deep packet inspection, application awareness (recognising the app behind traffic regardless of its port number), and often intrusion prevention and TLS inspection. The point is that a port number no longer tells you much — plenty of applications tunnel over the same few open ports — so NGFWs try to identify and control the actual application in play.
Web application firewalls (WAFs)
A WAF sits in front of a web application and inspects HTTP and HTTPS requests specifically, looking for attacks aimed at the application itself — SQL injection, cross-site scripting, and similar. That is a different job from a network firewall, which decides whether a connection to your web server is allowed at all; a WAF assumes the connection is allowed and scrutinises what the request is trying to do. The two are complementary and often deployed together.
Where firewalls actually live
There is rarely just one firewall between you and the internet. The same packet can pass through several, each enforcing its own policy at a different point.
- Host firewalls, on the device itself. Your operating system ships with one: Windows Defender Firewall on Windows, the
pfpacket filter on macOS, andiptablesor the newernftableson Linux. These control traffic in and out of that one machine and are the last line of defence — they apply even to traffic from another device on your own local network. - Your home router's firewall, at the network edge. Almost every consumer router runs a stateful firewall facing the internet, usually with a default policy that blocks all unsolicited inbound connections. This protects every device in your home at once, and it is what you reconfigure when you set up port forwarding.
- Cloud and network firewalls, in front of servers. Cloud providers expose firewall layers such as security groups and network ACLs; data centres and enterprises run dedicated firewall appliances. These guard servers and whole networks rather than a single desktop, but the core allow-or-block logic is identical.
Default-deny vs default-allow, inbound vs outbound
Every firewall has a default policy — what happens to a packet that matches no explicit rule. Default-deny blocks anything not expressly permitted; you open holes deliberately, one service at a time. This is the secure, widely recommended stance and what your home router does for inbound internet traffic out of the box. Default-allow is the opposite — everything is permitted unless a rule blocks it — which is more permissive and only sensible in trusted contexts, because anything you forgot about gets through.
Rules also have a direction. Inbound rules govern connections coming toward you; outbound rules govern connections your device or network initiates. Most people only think about inbound filtering, since that blocks strangers from reaching your machine. But outbound filtering matters too: it can stop a compromised device from “phoning home” or exfiltrating data, which is why some corporate networks block outbound connections on all but a few approved ports.
How firewalls relate to ports and port forwarding
Ports and firewalls are tightly linked. A port is a numbered channel on an IP address identifying a particular service — 443 for HTTPS, 22 for SSH, and so on (see the common ports reference). When someone says a port is “open,” they mean a firewall rule permits traffic to reach a service listening on it — and “opening a port” is literally adding that firewall or NAT rule.
This is exactly what port forwarding does on a home router. The router blocks unsolicited inbound traffic by default, so to make an internal service reachable you add a rule: traffic arriving on this external port is allowed and forwarded to this internal IP and port. That single rule is both a firewall exception (permit this inbound traffic) and a NAT instruction (send it here). To confirm a port is actually reachable afterwards, the port checker tests it from the public internet.
How NAT provides accidental firewall-like protection
Network Address Translation was not designed as a security feature — it exists to let many devices share one public IPv4 address — but it produces a firewall-like side effect. Because your router maps outbound connections to internal devices in a translation table, an unsolicited inbound packet has no matching entry: the router does not know which internal device it belongs to, so it drops it. The result is that devices behind NAT are not directly reachable from outside unless you forward a port — much like a default-deny inbound firewall.
Do not overstate it, though. NAT is no substitute for a real firewall — it filters no outbound traffic, protects nothing between devices on the same LAN, and inspects nothing it passes. It is a helpful accident, not a security policy. The same “you cannot be reached from outside” effect is why carrier-grade NAT breaks inbound connections; see what CGNAT is for how a second NAT layer at your ISP compounds it.
What a firewall does not do
A firewall is one layer of defence, and it is easy to overestimate what it covers.
- It is not antivirus. A firewall controls connections; it does not scan files for malware or clean an infected machine. Those are separate tools for a separate job.
- It will not stop you clicking a bad link. If your browser is allowed to reach the web — and it must be, or you could not browse at all — a firewall carries the connection to a phishing page or malicious download just as readily as to a legitimate site. It sees an allowed outbound connection; it cannot see that you were tricked.
- It does not stop attacks it has already allowed through. Once a firewall permits traffic to a service, exploits aimed at that service's own software ride over the permitted connection. An application-layer firewall or WAF can inspect for some of this, but a plain network firewall that allowed the connection is not looking inside it.
- It does not protect against traffic that never crosses it. A host firewall does nothing about a threat already running on that host, and a network firewall does nothing about lateral movement between devices on the same local network.
Frequently asked questions
What is the difference between a stateless and a stateful firewall?
A stateless (packet-filtering) firewall inspects each packet in isolation using only fixed header fields — source and destination IP, port, and protocol — with no memory of what came before. A stateful firewall tracks active connections in a state table, so when you open an outbound connection it automatically permits the matching return traffic without a separate rule. Stateful inspection is the modern default because it is both safer and easier to configure.
Does a firewall replace antivirus software?
No. A firewall controls which connections are allowed in and out; it does not scan files for malware and will not stop you clicking a malicious link or downloading a trojan. If the firewall permits your browser to reach the web — which it must — it carries a malicious download just as happily as a safe one. A firewall is one layer; antivirus, safe habits, and prompt updates are others.
Do I need a firewall if I am behind a home router with NAT?
You already have basic protection: NAT drops unsolicited inbound connections because it has no translation entry for them, much like a default-deny inbound firewall, and most home routers add an explicit stateful firewall on top. But that only covers the network edge — it does nothing between devices on your own LAN and does not filter outbound traffic, so a host firewall on each device still adds real value.
Related reading
- Common ports — the numbered channels firewall rules allow or block, with a reference of what runs where.
- Port forwarding explained — how “opening a port” is really just adding a firewall and NAT rule.
- Port checker — test from the public internet whether a port is actually reachable through your firewall.
- Public vs private IP — the addresses firewall rules match on, and why the distinction matters.
- What is CGNAT? — how a second NAT layer at your ISP adds firewall-like blocking you cannot configure away.
- Networking glossary — short definitions for the terms used throughout this guide.
