What is a firewall?

A firewall is a network security device — hardware, software, or both — that monitors incoming and outgoing network traffic and decides whether to allow or block it based on a set of rules. Think of it as a security checkpoint: every packet of data trying to enter or leave a network has to pass inspection first.

Firewalls sit at the boundary between networks — most commonly between your internal private network and the public internet. Without one, any device on the internet could attempt to connect directly to any device on your network.

🔥 Firewall Traffic Flow
🌐
Internet
Allowed
🔥
Firewall
Blocked
🖥️
Your Network

Firewalls evaluate traffic based on characteristics like source IP address, destination IP address, port number, and protocol (TCP or UDP). Rules are processed in order — the first rule that matches the traffic determines what happens to it.

How firewall rules work — allow and deny

Every firewall operates on a ruleset — an ordered list of conditions and actions. When a packet arrives, the firewall walks through the rules from top to bottom. The first rule that matches wins. If no rule matches, the firewall falls back to a default policy, which is almost always deny all.

🔒 Example Firewall Ruleset
Rule # Protocol Port Direction Action
1 TCP 443 (HTTPS) Inbound ✓ Allow
2 TCP 80 (HTTP) Inbound ✓ Allow
3 TCP 22 (SSH) Inbound ✗ Deny
4 TCP 3389 (RDP) Inbound ✗ Deny
5 Any Any Any ✗ Deny (default)

This ruleset allows web traffic (ports 80 and 443) but blocks remote access attempts over SSH and RDP. Rule 5 — the implicit deny — blocks everything not explicitly permitted. This is the most important concept in firewall design: if you don't explicitly allow something, it gets blocked.

⚡ A+ Exam — Implicit Deny

Implicit deny means traffic is blocked by default unless a rule specifically allows it. This is the standard approach for firewalls and is a heavily tested concept. If traffic hits the bottom of the ruleset with no match, it is denied — even if there's no explicit deny rule written for it.

The opposite approach — implicit allow — would permit everything not specifically blocked. This is generally considered insecure and is rarely used.

Stateless vs stateful firewalls

This is one of the most commonly tested distinctions on the A+ exam. The difference comes down to whether the firewall understands the context of a connection or just evaluates each packet in isolation.

Older / Basic
Stateless Firewall
Evaluates each packet individually against the ruleset, with no memory of previous packets. It doesn't know if a packet is part of an established connection or a new one — it just checks the rules and decides.
Sees: TCP packet, port 80 → checks rule → Allow
Modern / Standard
Stateful Firewall
Tracks the state of active connections in a state table. It knows whether a packet is part of an established, related, or new connection. This makes it far better at detecting attacks that exploit the TCP handshake.
Sees: packet → checks state table → part of established session → Allow

Most modern firewalls are stateful. The key advantage is that a stateful firewall can automatically allow return traffic for outbound connections without needing an explicit inbound rule — because it knows the connection was initiated internally.

⚡ A+ Exam — Stateful vs Stateless

Stateless = examines each packet independently, no connection memory, faster but less secure, used in simple ACLs on routers.

Stateful = tracks connection state, understands context, blocks unsolicited inbound traffic automatically, used in most modern firewalls including Windows Defender Firewall.

Types of firewalls

🖥️
Host-based Firewall
Software
Runs as software on an individual device. Protects only that specific machine. Windows Defender Firewall is a host-based firewall — it's built into every Windows PC and controls traffic in and out of that single computer.
📦
Network Firewall
Hardware / Appliance
A dedicated device sitting at the network perimeter — between the internet and your internal network. Protects all devices behind it. Your home router has a basic network firewall built in. Enterprise environments use dedicated appliances.
🔍
Packet Filtering Firewall
Layer 3–4
The most basic type — inspects packet headers only (IP addresses, ports, protocol). Fast and simple, but can't inspect the actual content of packets. Operates at Layers 3 and 4 of the OSI model.
🧠
Application-layer Firewall (WAF)
Layer 7
Inspects the actual content of traffic — HTTP requests, DNS queries, email contents. Can block specific applications, websites, or types of content. Operates at Layer 7 (Application) of the OSI model. More powerful but slower.

Ports, protocols, and firewall rules

Firewalls block and allow traffic by port number and protocol. Knowing which services run on which ports is essential for understanding firewall rules — and it's high-yield exam content. Here are the most important port-based rules to recognize:

🔒 Common Port-Based Firewall Rules
Port Protocol Service Typical rule
80 TCP HTTP — unencrypted web Allow
443 TCP HTTPS — encrypted web Allow
53 TCP/UDP DNS — name resolution Allow
22 TCP SSH — encrypted remote access Deny
23 TCP Telnet — unencrypted remote access Deny
3389 TCP RDP — Windows Remote Desktop Deny
25 TCP SMTP — email sending Deny

In practice, the "typical rule" depends on the network. A corporate mail server needs port 25 open. A web server only needs 80 and 443. The principle is to only open ports that the specific device or network actually needs — everything else stays closed.

⚡ A+ Scenario — "Users can browse but can't use remote desktop"

This is a classic firewall scenario on the exam. If users can reach websites (port 80/443 open) but RDP connections fail (port 3389 blocked), the firewall ruleset is doing exactly what a secure configuration should do. The fix — if RDP is needed — is to add an explicit allow rule for port 3389, ideally restricted to specific IP addresses rather than open to everyone.

Windows Defender Firewall — what to know for the exam

The A+ exam specifically tests your knowledge of Windows Defender Firewall, the built-in host-based firewall in Windows. Key things to know:

It has three profiles — Domain (when connected to a corporate domain), Private (home or trusted networks), and Public (coffee shops, airports, unknown networks). The Public profile is the most restrictive by default, blocking most inbound connections.

You access it through Control Panel → Windows Defender Firewall or by searching "firewall" in the Start menu. The advanced settings (Windows Defender Firewall with Advanced Security) let you create specific inbound and outbound rules by port, program, or IP address.

⚡ A+ Exam — Three Firewall Profiles

Domain profile — applies when the PC is connected to a corporate Active Directory domain. Usually configured by IT policy.

Private profile — applies on trusted networks like home. More permissive than Public.

Public profile — applies on unknown networks. Most restrictive — blocks most inbound connections to protect the device on untrusted networks.

Next-Generation Firewalls (NGFW)

Traditional firewalls operate at Layers 3 and 4 — they see IP addresses, ports, and protocols. A Next-Generation Firewall goes further, performing deep packet inspection (DPI) to examine the actual contents of traffic at Layer 7 (the application layer).

This matters because modern attacks don't respect port numbers. Malware can tunnel over port 443 (HTTPS) to bypass traditional firewalls. An NGFW can identify the actual application — not just the port — and make decisions based on content, user identity, and threat intelligence.

🔍
Layer 7 inspection
Deep Packet Inspection
Reads inside the packet payload — not just the header. Can identify the actual application regardless of what port it uses.
🧠
Integrated capability
IPS Integration
Most NGFWs include an inline intrusion prevention system — detecting and blocking known attack patterns in real time.
👤
Identity-aware
User & App Control
Rules can be applied per user or group (via Active Directory integration), not just per IP — "block social media for the Sales VLAN."
⚡ NGFW exam shortcut

If a question mentions application-aware, deep packet inspection, Layer 7 filtering, or user-based policies — the answer is Next-Generation Firewall (NGFW).

Traditional firewalls = Layers 3/4 (IP, port, protocol). NGFW = Layer 7 (application content, user identity, threat intelligence).

IDS vs IPS vs Firewall

These three are the most commonly confused security devices on Network+ and Security+. They are related but do fundamentally different things.

Device Placement What it does Can it block?
Firewall Network perimeter — inline Allows or blocks traffic based on rules (IP, port, protocol) Yes — blocks by default policy and rules
IDS Out-of-band — monitors a copy of traffic (SPAN port) Detects suspicious traffic patterns and alerts — passive monitoring only No — detects and alerts only, cannot block
IPS Inline — traffic flows through it Detects suspicious traffic and actively blocks it in real time Yes — drops malicious packets inline before they reach the destination
⚡ IDS vs IPS — the one-line distinction

IDS = passive. It watches and alerts — like a security camera. Traffic still flows through. Generates logs and alerts for a security team to investigate.

IPS = active. It sits inline and can drop packets in real time — like a security guard who can physically stop someone. The tradeoff: a misconfigured IPS can block legitimate traffic (false positives).

The exam loves asking: "Which device monitors traffic and generates alerts but cannot block?" → IDS. "Which device can actively drop malicious packets?" → IPS.

DMZ — Demilitarised Zone

A DMZ is a network segment that sits between the public internet and the internal private network — a middle ground for servers that need to be publicly accessible (web servers, email servers, DNS servers) without exposing the internal network to direct internet access.

DMZ network layout
Internet
    │
    ▼
[ Firewall — outer ]   ← allows HTTP/HTTPS inbound to DMZ servers
    │
    ▼
[ DMZ — public servers ]  ← web server, email server, public DNS
    │
    ▼
[ Firewall — inner ]   ← strict rules, very little DMZ→internal allowed
    │
    ▼
Internal network — private (databases, file servers, workstations)
📌 Why a DMZ matters

If a web server in the DMZ is compromised, the attacker is trapped in the DMZ — the inner firewall prevents them from reaching the internal network. Without a DMZ, a compromised public-facing server has direct access to everything on the internal network.

Single firewall DMZ: One firewall with three interfaces — internet, DMZ, internal. Simpler but less secure.

Dual firewall DMZ: Two separate firewalls — one facing the internet, one facing the internal network. More secure, more expensive. Best practice for enterprise environments.

ACLs — Access Control Lists

An ACL is a stateless packet filter configured on a router interface. It's not a true firewall — it evaluates each packet independently with no awareness of connection state — but it's the primary traffic control mechanism on routers and is heavily tested on Network+.

ACL vs firewall — key differences
ACL (router)
  Stateless — evaluates each packet independently
  Applied per interface, per direction (inbound or outbound)
  Rules: permit or deny by source/dest IP, port, protocol
  No connection tracking — return traffic needs explicit rules
  Fast — hardware-accelerated in ASICs

Firewall
  Stateful — tracks connection state table
  Sits at network boundary, inspects all traffic
  Automatically allows return traffic for established sessions
  Application-aware (NGFW) — inspects Layer 7 content

WAF — Web Application Firewall

A WAF is a specialised firewall that operates at Layer 7 specifically to protect web applications. Where a traditional firewall can block traffic by IP and port, a WAF understands HTTP/HTTPS and can inspect the content of web requests to detect and block web-specific attacks.

💉
Most common web attack
SQL Injection
Attacker injects malicious SQL into form fields to manipulate the database. A WAF detects and blocks requests containing SQL syntax in unexpected places.
📜
Script injection
Cross-Site Scripting (XSS)
Attacker injects malicious JavaScript into a web page that runs in other users' browsers. A WAF filters out script tags and suspicious payloads in web requests.
🌊
Availability attack
DDoS Mitigation
WAFs can detect and rate-limit volumetric attacks, bot traffic, and request floods targeting web applications — protecting availability.
⚡ WAF exam shortcut

If the question mentions protecting a web application from SQL injection, XSS, or OWASP Top 10 attacks — the answer is WAF (Web Application Firewall), not a regular firewall or IPS.

A regular firewall sees "HTTPS traffic on port 443 — allow." A WAF opens that HTTPS traffic and reads the HTTP request content to decide if it's an attack.

Exam scenarios

💬 "A security device monitors a copy of network traffic and generates alerts but does not block anything. What is it?" → IDS (Intrusion Detection System)
💬 "Which device sits inline and can actively drop malicious packets before they reach their destination?" → IPS (Intrusion Prevention System)
💬 "A company hosts a public web server and wants to protect the internal network if it's compromised. What network design achieves this?" → DMZ — place the web server in a DMZ segment between two firewalls
💬 "Which firewall type can identify traffic by application rather than just port number?" → Next-Generation Firewall (NGFW) — uses deep packet inspection at Layer 7
💬 "A web application is being attacked with SQL injection. Which security device is specifically designed to block this?" → WAF (Web Application Firewall)
💬 "Which is configured on a router interface and filters packets based on IP address and port with no connection tracking?" → ACL (Access Control List) — stateless packet filtering
💬 "A firewall rule allows HTTPS (443) inbound but a user reports they cannot browse the web. The firewall logs show outbound traffic is being blocked. What is the most likely cause?" → The outbound allow rule is missing — the firewall is blocking the return traffic. Either add an outbound allow rule or verify the firewall is stateful and tracking the connection.

Key Takeaways

A firewall monitors network traffic and allows or blocks it based on rules involving IP addresses, ports, and protocols
Implicit deny — traffic not matching any allow rule is blocked by default. This is the foundational principle of firewall security.
Stateless firewalls evaluate each packet independently. Stateful firewalls track connection state and understand context — far more secure.
Host-based firewalls protect one device (e.g. Windows Defender Firewall). Network firewalls protect all devices behind them at the perimeter.
Rules are processed in order — the first matching rule wins. Order matters enormously.
Windows Defender Firewall has three profiles: Domain, Private, and Public — Public is the most restrictive
Block port 23 (Telnet) and use port 22 (SSH) instead — Telnet sends credentials in plaintext, SSH encrypts them
NGFW = deep packet inspection at Layer 7 — application-aware, user-aware, IPS-integrated
IDS = passive monitoring and alerts only. IPS = inline, actively blocks malicious traffic
A DMZ isolates public-facing servers — if compromised, attackers can't reach the internal network
WAF protects web applications from SQL injection, XSS, and other Layer 7 attacks

Related Articles

Common Port Numbers Network Troubleshooting Commands A+ Cheat Sheet Network+ Cheat Sheet VLANs Explained What is SSH? What is a VPN? OSI Model Explained How to Pass Network+ How to Pass Security+

Preparing for the A+ exam?

See the books and practice exams that make the most difference.

See Best Study Resources →