What Is a Firewall?
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on a defined set of rules. It acts as a barrier between a trusted internal network and untrusted external networks (like the internet), allowing legitimate traffic through while blocking threats. Pair it with a VPN for encrypted tunneling, and use our port scanner to verify which of your ports are visible from the internet.
Types of Firewalls
| Type | How It Works | OSI Layer | Typical Use |
|---|---|---|---|
| Packet Filter | Inspects IP/TCP/UDP headers; allows or denies based on rules | Layer 3–4 | Routers, basic network perimeter |
| Stateful Inspection (SPI) | Tracks connection state; only allows packets that match an established session | Layer 3–4 | Home routers, enterprise firewalls |
| Application Layer (WAF) | Inspects payload content for specific protocols (HTTP, DNS, SMTP) | Layer 7 | Web servers, API gateways |
| Next-Generation Firewall (NGFW) | Combines stateful inspection with DPI, IPS, and application awareness | Layer 3–7 | Enterprise security appliances |
| Host-based Firewall | Software running on the endpoint; controls per-process traffic | Layer 3–4 | Windows Defender Firewall, iptables, pf |
| Cloud Firewall (FWaaS) | Firewall delivered as a cloud service; inspects traffic before it reaches your network | Layer 3–7 | Cloudflare Gateway, Zscaler, AWS WAF |
Firewall Rule Concepts
Firewall rules are processed top-to-bottom in order of priority. Each rule specifies a source address, destination address, port/protocol, and action (allow, deny, or log). The final rule is typically an implicit deny-all that blocks anything not explicitly permitted.
Firewall vs VPN vs Antivirus
- A firewall controls which network connections are allowed - It does not encrypt traffic or hide your IP.
- A VPN encrypts your traffic and masks your IP - It does not inspect or filter connection attempts the way a firewall does. Run a VPN leak test to ensure your VPN is properly protecting your IP.
- Antivirus software scans file content and running processes for malware - Complementary to, not a replacement for, a firewall.
- Defense-in-depth means using all three together: a firewall at the network perimeter, a VPN for encrypted tunneling, and antivirus on endpoints.
- Your home router already includes a basic stateful firewall - Ensure it's enabled and configured to block unsolicited inbound connections. See our router security guide for settings to change.
How Stateful Inspection Works
The connection table
A stateful firewall keeps a live table of every connection crossing it: source and destination IP, port, protocol, and connection state. When you open a website, the outbound request creates a table entry; the reply packets match that entry and sail through. An unsolicited inbound packet matches nothing and is dropped. This single mechanism is why your home network can browse freely while remaining invisible to port scans - And why servers, which must accept unsolicited connections, need explicit allow rules instead.
Stateless filtering, by contrast
A stateless packet filter judges every packet in isolation against its rule list, with no memory of what came before. It is faster and simpler - Still used in router ACLs and some cloud network rules - But it cannot tell a legitimate reply from an attacker's forged "reply", which is exactly the gap stateful tracking closed.
Enabling the Firewall You Already Have
| Platform | Where to Enable It |
|---|---|
| Windows 10/11 | Settings → Privacy & security → Windows Security → Firewall & network protection - Confirm all three profiles (Domain, Private, Public) are On |
| macOS | System Settings → Network → Firewall → toggle On; "Stealth Mode" under Options additionally ignores pings and probes |
| Linux | sudo ufw enable (Ubuntu/Debian) - Default policy denies inbound, allows outbound; sudo ufw allow 22/tcp opens a port deliberately |
| Home router | Admin panel → Security or Firewall section - SPI firewall should be enabled by default; see the router hardening guide |
Then verify from outside: run the port scanner against your public IP. Every port should report closed or filtered unless you deliberately opened it - What each state means is covered in the open ports FAQ.
Reading a Simple Ruleset
| # | Source | Destination | Port/Protocol | Action | Effect |
|---|---|---|---|---|---|
| 1 | 192.168.1.0/24 | any | any | ALLOW | LAN devices may initiate anything outbound |
| 2 | any | 192.168.1.20 | 443/tcp | ALLOW | Internet may reach the web server on HTTPS only |
| 3 | 203.0.113.0/24 | any | any | DENY + LOG | Known-hostile range blocked and recorded |
| 4 | any | any | any | DENY | Implicit default - Everything not matched above is dropped |
Order is everything: packets take the first matching rule, so a careless broad ALLOW above rule 3 would neutralise the block entirely. The source/destination columns are written in CIDR notation.
What This Means for You
You are almost certainly behind two firewalls right now - Your router's SPI firewall and your operating system's - And the practical job is simply not to undermine them. That means leaving them enabled, being deliberate about every port you forward or "allow" prompt you accept, and disabling UPnP so applications cannot punch holes silently. The OS firewall earns its keep the moment your laptop leaves home: on public Wi-Fi there is no router protecting you, and the host firewall is the only thing standing between your file shares and the stranger two tables away.
Frequently Asked Questions
Do I need a firewall if I have a VPN?
Yes - They solve different problems. A VPN encrypts traffic you choose to send and hides your IP; a firewall decides which connections may exist at all, including blocking inbound attacks and unauthorised outbound traffic from malware. Defence-in-depth uses both, and they never conflict.
Does a firewall slow down my internet?
Not noticeably for home use. Stateful inspection of a household's traffic is trivial work for modern router and laptop CPUs. Only deep-packet-inspection features on very fast connections - Or antique routers pushed past their rating - introduce measurable slowdowns.
Why does Windows Firewall keep asking me to allow apps?
The prompt appears when a program wants to accept inbound connections - To act as a server. For games, video calls, and file sync this is normal and safe to allow on private networks. Decline for software you don't recognise; each "Allow" creates a permanent inbound rule for that app.