What Is a Firewall and How Does It Work
A beginner-friendly explanation of firewalls, how they filter traffic, and why every network needs one.
Last updated Apr 7, 2026Current
Continue your mission
A beginner-friendly explanation of firewalls, how they filter traffic, and why every network needs one.
A firewall is a network security device or software that monitors incoming and outgoing traffic and decides whether to allow or block specific packets based on a defined set of rules. Think of it as a security guard at a building entrance: it checks credentials and only lets authorized visitors through.
Firewalls sit between your trusted internal network and untrusted external networks (typically the internet). Every packet of data that tries to cross that boundary gets inspected against the firewall's ruleset.
Packet filtering firewalls are the simplest type. They examine each packet's source IP, destination IP, port number, and protocol. If the packet matches an allow rule, it passes. If it matches a deny rule or no rule at all, it gets dropped. These are fast but lack context about the overall connection.
Stateful inspection firewalls track the state of active connections. Instead of evaluating each packet in isolation, they understand whether a packet belongs to an established, legitimate session. This makes them significantly more secure than simple packet filters because an attacker cannot just craft a packet that looks like a reply to a conversation that never happened.
Next-generation firewalls (NGFWs) combine traditional firewall capabilities with application-layer inspection, intrusion prevention, and threat intelligence feeds. They can identify and control applications regardless of port, detect malware in transit, and enforce policies based on user identity rather than just IP address.
Web application firewalls (WAFs) specifically protect web applications by filtering HTTP/HTTPS traffic. They defend against attacks like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats.
Firewall rules follow a top-down evaluation order. The firewall reads rules from first to last and applies the first matching rule. A typical rule specifies: source address, destination address, port, protocol, and action (allow or deny).
Best practice is to follow a "default deny" posture. Start by blocking everything, then create specific allow rules only for traffic you explicitly need. This is far more secure than starting wide open and trying to block known-bad traffic.
The biggest mistake practitioners make is rule bloat. Over months and years, administrators add rules to fix immediate problems without removing old ones. Eventually, nobody knows what half the rules do, and removing any of them feels risky. Schedule quarterly rule reviews. If a rule has zero hits over 90 days, investigate whether it is still needed.
Another frequent error is allowing overly broad rules. A rule that permits "any source to any destination on any port" defeats the purpose of having a firewall. Be as specific as possible with source, destination, and port.
Failing to log denied traffic is also common. Denied packets tell you what is trying to reach your network. That data feeds threat intelligence and helps you spot reconnaissance activity.
Firewalls are foundational but not sufficient on their own. They work best as part of a layered defense strategy that includes endpoint protection, intrusion detection, network segmentation, and monitoring. A firewall cannot stop a phishing email that a user clicks, and it cannot detect an attacker who has already gained access to your internal network.
In CDA's Planetary Defense Model, firewalls fall under the Security Posture and Hygiene (SPH) domain. They represent one of the first controls you harden when building a security program from scratch. If you are just getting started, configuring your firewall correctly is one of the highest-impact actions you can take.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.