What Is a Firewall? The Checkpoint for Network Traffic
A firewall decides which network traffic is allowed and which is blocked. A beginner friendly guide to how firewalls work, the main types, and what they can and cannot protect.
Picture the security desk in the lobby of a busy office building. Everyone who wants to get in has to walk past it. The guard has a list of who is allowed where, checks each person against it, and waves through the ones who belong while turning away the ones who do not. Nobody strolls straight up to the executive floor just because they made it through the front revolving door. That desk, quietly doing its job all day, is almost exactly what a firewall is for a computer network.
A firewall is one of the oldest and most fundamental security controls, and the mental model really is that simple. It is a checkpoint that decides which network traffic gets through and which is turned away. In this guide we will walk through how firewalls work in plain language, the main types you will hear about, the two directions they filter, and, just as important, the things they cannot do so you do not lean on them for protection they were never built to give.
First, what is network traffic?
Before we talk about the checkpoint, it helps to know what is being checked. Every device on a network, your laptop, your phone, a web server in a data centre, constantly sends and receives little bundles of data called packets. A packet is like an envelope. It has an address on the outside saying where it came from and where it is going, and it carries a small piece of the actual message inside. A single web page can be delivered as thousands of these envelopes, reassembled at the other end.
If you would like the groundwork on addresses, ports, and protocols before going further, our networking basics guide covers them gently. The short version is enough for now, so let us keep moving.
The core idea
A firewall sits directly in the path of that traffic, like the guard sitting between the front door and the lifts. For each connection that tries to pass, it applies a set of rules to decide whether to allow it or block it. A rule is just an instruction written in advance, such as "let web traffic reach this server" or "never let anyone from the internet reach the file sharing service". Rules are usually based on three things:
- Source and destination address: where the traffic is coming from and going to. An address is the numeric label that identifies a device on a network, a bit like a street address for a house.
- Port: which service the traffic is trying to reach. Ports are numbered doors on a device, and each common service tends to sit behind a well known door number. Web traffic uses port 443, for example. Ports identify services, which is covered more in networking basics.
- Protocol: the kind of traffic, such as TCP or UDP. Think of these as different styles of conversation. TCP is careful and confirms every message was received, while UDP is quick and fire and forget.
Put together, the whole process is refreshingly straightforward.
Traffic arrives -> firewall checks the rules -> ALLOW or BLOCKThe firewall reads the envelope, compares it to the rule list, and makes a decision in a fraction of a millisecond. It does this for every single connection, all day, without getting tired or distracted, which is exactly why we hand the job to software rather than a human guard.
Default deny is the golden rule
A well configured firewall blocks everything by default and only allows what is explicitly needed. This is called default deny. It is far safer than allowing everything and trying to block the bad, because you cannot block threats you have not thought of yet. A guard with a short list of who may enter is safer than a guard with a long list of who may not, because the second list can never be complete.
Here is the same idea as a tiny rule list, to make it concrete. Read from top to bottom, the firewall stops at the first rule that matches.
ALLOW any -> web server port 443 (public website)
ALLOW office ip -> admin panel port 22 (staff only)
DENY any -> anything any (block the rest)That final "block the rest" line is default deny in action. Anything not explicitly permitted above it falls through and is turned away.
The main types
Firewalls have grown more capable over the decades, and you will hear a few names thrown around. Here is what they actually mean.
- Packet filtering is the simplest and oldest approach. It judges each packet on its address and port in isolation, like a guard who checks each person's badge but has no memory of who walked in a moment ago. It is fast and light, but a bit naive.
- Stateful inspection is smarter because it tracks whole connections rather than lone packets. State just means memory here. Because it remembers that you started a conversation with a website, it knows a returning packet genuinely belongs to that conversation and lets it back in, while blocking unexpected traffic that nobody asked for. This is the standard for most firewalls today.
- Next generation firewalls look deeper still. They can understand which application a connection belongs to, not just which port it uses, so they can tell the difference between ordinary web browsing and a file transfer even when both travel over the same port. They often bundle in intrusion prevention, which watches for the signatures of known attacks and blocks them on the spot.
Why application awareness matters
Older firewalls trusted the door number. If traffic arrived on the web port, it was assumed to be web traffic. Attackers learned to disguise other activity as web traffic to slip through. A next generation firewall inspects the actual behaviour of a connection, so hiding malicious traffic behind an allowed port is much harder. It is the difference between a guard who checks badges and one who also notices when someone is acting oddly.
Firewalls also come in two placements, and both are useful.
- Network firewalls guard the boundary between networks, such as between your office and the wider internet. This is the classic front gate, protecting many devices at once.
- Host firewalls run on an individual device and control only that one machine's traffic. Your laptop and your phone both have one built in. It is like each office having its own lockable door in addition to the guard downstairs.
Using both together is a good habit. If the network firewall is ever bypassed or misconfigured, the host firewall on each device is still standing.
Ingress and egress
Here is a detail that many beginners miss. Firewalls filter traffic in both directions, and both directions matter. The jargon words are worth learning because you will see them everywhere.
- Ingress filtering controls what can come in. This is the obvious job, and it is what stops the internet from reaching services that should stay private. Blocking an exposed file sharing port, for example, is how you prevent the kind of automatic spread seen in the EternalBlue attacks.
- Egress filtering controls what can go out. It is often overlooked, and that is a shame, because it is quietly powerful. If a machine on your network is ever compromised, egress rules can stop it from "phoning home" to the attacker for instructions, or from quietly shipping your data out the door. Phoning home just means a piece of malware contacting the criminal who planted it.
Think of it this way. Ingress filtering keeps intruders out of the building. Egress filtering makes sure that if someone does get in, they cannot walk out again with the safe under their arm.
Do not forget the way out
Most people set up ingress rules carefully and leave outbound traffic wide open. Attackers count on exactly that. Restricting egress so that internal machines can only reach the destinations they genuinely need is one of the highest value, most underused firewall habits there is.
What a firewall does not do
This is the part that saves you from a false sense of safety. A firewall is genuinely valuable, but it has a narrow job, and understanding its limits is as important as understanding its strengths.
A firewall is a gate, not a guarantee
It controls traffic by rules, but it does not inspect the meaning of everything that flows through the ports you have opened. It will not stop a phishing email, malware downloaded over an allowed web connection, an attack against a service you have deliberately exposed, or a threat that is already inside. It is one layer, not the whole defence.
Let us make those limits concrete, because they are the traps people actually fall into.
A firewall cannot read your mind about intent. If you have opened the web port so people can visit your site, the firewall will happily let web traffic through, including a cleverly disguised attack aimed at that very site. The door is open because you asked for it to be open.
A firewall does not stop a person from making a mistake. If someone on your team receives a convincing email and types their password into a fake login page, no firewall rule was broken. The traffic looked completely ordinary. This is why phishing awareness matters so much alongside technical controls.
A firewall does little once the threat is already inside. If an attacker is running on a machine within your trusted network, a traditional firewall at the boundary may never even see their activity. This gap is a big part of why modern designs lean towards zero trust, where nothing inside the network is automatically trusted just for being inside.
The open port is your responsibility
Every port you open is a door you have chosen to leave unlocked, and the firewall will not second guess you. Before exposing any service to the internet, be sure it is patched, requires strong authentication, and genuinely needs to be reachable. The most common breaches are not clever firewall bypasses. They are services that never should have been exposed in the first place.
Where the firewall fits in your defences
No single control keeps you safe, and a firewall was never meant to. It works best as one layer in a stack of defences that back each other up, an approach often called defence in depth. A sensible layering looks like this:
Firewall -> controls which connections are even possible
Patching -> removes the flaws an allowed connection could exploit
Authentication -> proves who is on the other end (see multifactor auth)
User awareness -> stops the human tricks a firewall never seesEach layer covers a weakness in the others. The firewall shrinks the number of ways in. Patching removes known holes in the services you do expose. Strong authentication, such as multifactor authentication, makes a stolen password far less useful. And a sceptical, well trained team closes the gap that no piece of software can, the human one.
The takeaway
A firewall is a checkpoint that allows or blocks network traffic based on rules about address, port, and protocol, and its guiding principle is default deny: permit only what is needed and turn away everything else. The types range from simple packet filtering, through the stateful inspection that remembers whole connections, to application aware next generation firewalls, and they run either at the network boundary or on individual hosts. They filter both incoming traffic, to keep intruders out, and outgoing traffic, to stop a compromised machine from calling home or leaking data.
Just as important, a firewall is a gate and not a guarantee. It will not catch phishing, malware over an allowed connection, an attack on a service you deliberately exposed, or a threat that is already inside. Treat it as one essential layer, then pair it with diligent patching, strong authentication, and a team that knows how to spot a trick. That combination, not any single tool, is what keeps a network safe.