What Is a Firewall

A firewall is a defensive barrier placed between a trusted internal network and an untrusted external network - typically the internet. It monitors and controls incoming and outgoing traffic based on predefined rules.

Think of it like a security guard at a building entrance. Just as the guard checks visitor IDs and only admits authorized individuals, a firewall inspects the source, destination, and content of network packets, allowing only permitted traffic to pass through. By blocking unauthorized access and malicious communications, firewalls serve as a foundational technology for network security. For a concise overview of what a firewall is and why it matters, see our companion article.

On the IP Check-san homepage, you can check your current IP address and connection details. When verifying that your firewall is working correctly, it is important to first understand your own network environment.

Types of Firewalls

Firewalls are classified into several types based on the depth and method of their inspection. Understanding each type helps you choose the right defense strategy.

Packet Filtering

The most basic type of firewall, packet filtering inspects only packet header information - source IP address, destination IP address, port number, and protocol. While fast, it does not examine packet payloads, limiting its ability to detect sophisticated attacks.

Stateful Inspection

An evolution of packet filtering, stateful inspection tracks the "state" of connections. For example, it allows response packets for connections initiated from inside the network while blocking unsolicited inbound packets. This context-aware approach is used by most modern firewall products.

Application Layer Firewall (WAF)

A WAF (Web Application Firewall) inspects HTTP/HTTPS traffic at the application layer. It can detect and block attacks specific to web applications, such as SQL injection and cross-site scripting (XSS). Deep Packet Inspection (DPI) enables it to scrutinize the actual content of communications. Combined with security headers, it can further strengthen web application defenses.

Next-Generation Firewall (NGFW)

An NGFW (Next-Generation Firewall) integrates traditional firewall capabilities with intrusion prevention systems (IPS), application identification, threat intelligence, and SSL/TLS inspection into a comprehensive security solution. It has become the standard choice for enterprise networks.

As of 2024-2025, NGFWs are enhancing their threat detection capabilities with machine learning. In addition to traditional signature-based detection, real-time learning and detection of anomalous network traffic patterns has become a standard feature. Cloud-native firewalls (such as AWS Network Firewall and Azure Firewall Premium) are also seeing rapid adoption, driving demand for unified security management across on-premises and cloud environments.

Home Router Firewalls

Home routers include basic firewall functionality that works even without explicit configuration. NAT (Network Address Translation) is primarily an IP address translation technology, but it implicitly acts as a firewall by preventing external devices from directly accessing individual devices on the internal network.

Most home routers feature SPI (Stateful Packet Inspection), which permits only responses to internally initiated connections and blocks unsolicited inbound requests. The router manages each device's IP address and routes traffic based on its NAT table.

However, configuring port forwarding creates a direct path from the internet to your internal network, introducing a security gap. If you open ports for game servers or remote access, limit them to the minimum necessary and close them promptly when no longer needed. Keeping your router firmware up to date is also essential to prevent exploitation of known vulnerabilities. From an IoT security perspective, router management is a critical concern.

Built-in OS Firewalls

Major operating systems come with software firewalls built in. Using them alongside your router's firewall creates a layered defense.

Windows Defender Firewall

Built into Windows and enabled by default, it allows you to configure inbound and outbound rules separately and control communication permissions on a per-application basis. It can apply different rule sets based on network profiles (Domain, Private, Public), automatically enforcing stricter rules on public networks.

macOS Firewall

The macOS firewall operates at the application layer, controlling inbound connections on a per-application basis. Enabling "Stealth Mode" prevents the system from responding to ping requests and connection probes, hiding its presence on the network. Note that the macOS firewall is disabled by default - you must enable it manually via System Settings → Network → Firewall.

Linux iptables / nftables

On Linux, iptables (legacy) and nftables (its successor) provide kernel-level packet filtering. They offer highly flexible rule configuration and are widely used in server environments. Frontend tools like UFW (Uncomplicated Firewall) and firewalld make it easier to manage settings intuitively.

Zero Trust and the Evolution of Firewalls

Traditional firewalls are built on the concept of "perimeter defense" - trusting the internal network and blocking threats at the boundary. However, with the rise of remote work and cloud services, the line between "inside" and "outside" has become increasingly blurred.

Zero trust security takes the approach of "verify every access request, regardless of network location." Firewalls remain an important component in a zero trust model, but they are not sufficient on their own. Combined with identity-based access control, micro-segmentation, and continuous authentication and authorization, they form a defense posture capable of addressing modern threats. For those looking to build a comprehensive security strategy, books on zero trust network security provide practical guidance.

From 2024 into 2025, the adoption of SASE (Secure Access Service Edge) has been accelerating. SASE delivers firewall functionality from the cloud and is gaining attention as a secure remote access alternative to VPNs. "Hybrid security" - the unified management of traditional hardware firewalls and cloud-based security services - is becoming the new standard for enterprise networks.

Firewall Configuration in IPv6 Environments

With the spread of IPv6, new considerations are needed for firewall configuration. Because IPv4 and IPv6 are entirely different protocols, firewall rules must be configured separately for each.

In IPv6 environments, NAT is no longer needed, so each device holds a globally unique address. While this improves communication efficiency, it also means external parties can potentially access individual devices directly, making proper firewall filtering essential. The implicit protection that IPv4's NAT provided does not exist in IPv6, and explicit rule configuration is needed to compensate. A solid understanding of both protocols is essential - a firewall configuration best practices guide can help you navigate these differences.

In dual-stack environments (where both IPv4 and IPv6 are active), it is common to see cases where only IPv4 firewall rules are configured while IPv6 is left unprotected. This can allow unauthorized access via IPv6, so it is critical to configure rules for both protocols without gaps. When implementing country-based access control using GeoIP, rules must also be applied to both IPv4 and IPv6 address blocks.

Limitations of Firewalls

Firewalls are a cornerstone of network security, but they cannot stop every threat. Understanding their limitations is key to building an effective security posture.

  • Social engineering: Firewalls cannot prevent users from being tricked into installing malware or entering credentials on fake sites
  • Encrypted malware: Malware embedded in HTTPS-encrypted traffic cannot be inspected by standard firewalls
  • Insider threats: Attacks or data leaks originating from within the network are outside the scope of perimeter firewalls
  • Zero-day attacks: Attacks exploiting unknown vulnerabilities cannot be caught by signature-based detection
  • Abuse of legitimate traffic: Attacks that use permitted ports and protocols may pass through undetected
  • DNS leaks: If the firewall does not properly control DNS traffic, DNS requests may leak through unintended paths

Actions You Can Take Now

To make the most of firewall protection, follow these steps to check and strengthen your network environment:

  • Enable your OS firewall: On macOS in particular, it is disabled by default - make sure to turn it on. Do not disable it because it seems inconvenient or might slow things down
  • Configure your home router properly: Change the default admin password and remove unnecessary port forwarding rules
  • Keep firmware up to date: Router and OS updates include security patches - apply them promptly
  • Do not open unnecessary ports: Close ports for services you are not using
  • Practice defense in depth: Do not rely on firewalls alone - combine them with antivirus software, VPNs, and safe browsing habits for multiple layers of security
  • When using public Wi-Fi, verify that your firewall settings are configured for public networks
  • Check your security score on the IP Check-san homepage to verify that no DNS leaks or WebRTC leaks are detected
  • Review firewall logs regularly to check for suspicious connection attempts and take action if anomalies are found

Related Glossary Terms

DHCP (Dynamic Host Configuration Protocol) A protocol that automatically assigns configuration details such as IP address, … Firewall A security mechanism placed at network boundaries that inspects and controls inc… DDoS Attack A Distributed Denial-of-Service attack that floods a target server or network wi… WAF (Web Application Firewall) A security solution that monitors, filters, and blocks malicious HTTP/HTTPS traf… Zero Trust Security A security model built on the principle of 'never trust, always verify,' requiri…