Skip to main content
Explainer · networking

What is a firewall? (Network traffic filtering, in plain English)

A firewall is a checkpoint that decides which network traffic is allowed to pass and which gets dropped, based on a set of rules. It sits on your devices, inside your router, and in front of cloud services — and understanding how it works explains a lot of “why can't I connect to this?” mysteries.

The plain definition

A firewall is a system — software, hardware, or both — that sits between two networks (or between a device and the network) and inspects the traffic crossing the boundary. For each packet or connection it consults a set of rules and makes a binary decision: allow or block. The rules match on the properties a firewall can see: the source and destination IP address, the source and destination port, the protocol (TCP, UDP, ICMP, and so on), and — in modern firewalls — the state of the connection. That is the whole idea; everything else is detail about how thoroughly a firewall inspects, and where it sits.

The types and generations of firewall

Firewalls are usually described by how deeply they inspect traffic — not competing products so much as successive layers of capability, where a modern firewall generally does all the earlier things plus more.

Packet filtering (stateless)

The oldest and simplest kind. A stateless packet filter looks at each packet in isolation and compares its header fields — source and destination IP, source and destination port, protocol — against a rule list. If a rule matches, it applies that verdict; otherwise the default policy decides. Because it keeps no memory of previous packets, it cannot tell a reply to a connection you started from a packet arriving out of the blue. That makes it fast and cheap, but blunt: to allow replies to your outbound web requests you would have to permit broad inbound port ranges — exactly the kind of hole you want to avoid.

Stateful inspection

The improvement that made firewalls genuinely usable. A stateful firewall keeps a state table of active connections. When your laptop opens a TCP connection to a web server, the firewall records that flow — the addresses, ports, and connection state — and then automatically permits the return packets that match it, dropping unsolicited inbound packets that match no entry. You no longer need a rule for the replies; the firewall infers them from the connection you started. Stateful inspection is the baseline for essentially every firewall in use today, from the one in your operating system to enterprise appliances.

Application-layer and next-generation firewalls

Packet filters and stateful firewalls mostly work at the network and transport layers — they care about addresses, ports, and connection state, not about what the traffic actually is. An application-layer firewall (or proxy firewall) understands specific protocols, so it can reason about the content of a request rather than just its envelope. A next-generation firewall (NGFW) bundles this with deep packet inspection, application awareness (recognising the app behind traffic regardless of its port number), and often intrusion prevention and TLS inspection. The point is that a port number no longer tells you much — plenty of applications tunnel over the same few open ports — so NGFWs try to identify and control the actual application in play.

Web application firewalls (WAFs)

A WAF sits in front of a web application and inspects HTTP and HTTPS requests specifically, looking for attacks aimed at the application itself — SQL injection, cross-site scripting, and similar. That is a different job from a network firewall, which decides whether a connection to your web server is allowed at all; a WAF assumes the connection is allowed and scrutinises what the request is trying to do. The two are complementary and often deployed together.

Where firewalls actually live

There is rarely just one firewall between you and the internet. The same packet can pass through several, each enforcing its own policy at a different point.

Default-deny vs default-allow, inbound vs outbound

Every firewall has a default policy — what happens to a packet that matches no explicit rule. Default-deny blocks anything not expressly permitted; you open holes deliberately, one service at a time. This is the secure, widely recommended stance and what your home router does for inbound internet traffic out of the box. Default-allow is the opposite — everything is permitted unless a rule blocks it — which is more permissive and only sensible in trusted contexts, because anything you forgot about gets through.

Rules also have a direction. Inbound rules govern connections coming toward you; outbound rules govern connections your device or network initiates. Most people only think about inbound filtering, since that blocks strangers from reaching your machine. But outbound filtering matters too: it can stop a compromised device from “phoning home” or exfiltrating data, which is why some corporate networks block outbound connections on all but a few approved ports.

How firewalls relate to ports and port forwarding

Ports and firewalls are tightly linked. A port is a numbered channel on an IP address identifying a particular service — 443 for HTTPS, 22 for SSH, and so on (see the common ports reference). When someone says a port is “open,” they mean a firewall rule permits traffic to reach a service listening on it — and “opening a port” is literally adding that firewall or NAT rule.

This is exactly what port forwarding does on a home router. The router blocks unsolicited inbound traffic by default, so to make an internal service reachable you add a rule: traffic arriving on this external port is allowed and forwarded to this internal IP and port. That single rule is both a firewall exception (permit this inbound traffic) and a NAT instruction (send it here). To confirm a port is actually reachable afterwards, the port checker tests it from the public internet.

How NAT provides accidental firewall-like protection

Network Address Translation was not designed as a security feature — it exists to let many devices share one public IPv4 address — but it produces a firewall-like side effect. Because your router maps outbound connections to internal devices in a translation table, an unsolicited inbound packet has no matching entry: the router does not know which internal device it belongs to, so it drops it. The result is that devices behind NAT are not directly reachable from outside unless you forward a port — much like a default-deny inbound firewall.

Do not overstate it, though. NAT is no substitute for a real firewall — it filters no outbound traffic, protects nothing between devices on the same LAN, and inspects nothing it passes. It is a helpful accident, not a security policy. The same “you cannot be reached from outside” effect is why carrier-grade NAT breaks inbound connections; see what CGNAT is for how a second NAT layer at your ISP compounds it.

What a firewall does not do

A firewall is one layer of defence, and it is easy to overestimate what it covers.

Frequently asked questions

What is the difference between a stateless and a stateful firewall?

A stateless (packet-filtering) firewall inspects each packet in isolation using only fixed header fields — source and destination IP, port, and protocol — with no memory of what came before. A stateful firewall tracks active connections in a state table, so when you open an outbound connection it automatically permits the matching return traffic without a separate rule. Stateful inspection is the modern default because it is both safer and easier to configure.

Does a firewall replace antivirus software?

No. A firewall controls which connections are allowed in and out; it does not scan files for malware and will not stop you clicking a malicious link or downloading a trojan. If the firewall permits your browser to reach the web — which it must — it carries a malicious download just as happily as a safe one. A firewall is one layer; antivirus, safe habits, and prompt updates are others.

Do I need a firewall if I am behind a home router with NAT?

You already have basic protection: NAT drops unsolicited inbound connections because it has no translation entry for them, much like a default-deny inbound firewall, and most home routers add an explicit stateful firewall on top. But that only covers the network edge — it does nothing between devices on your own LAN and does not filter outbound traffic, so a host firewall on each device still adds real value.

Related reading