← Back to networking

Networking Topic

Firewall Rules & ACLs

Learn firewall rules and Access Control Lists (ACLs) for network security, packet filtering, and access control.

Medium9 min read

Firewalls and ACLs (Access Control Lists) control network traffic by allowing or blocking packets based on rules. They are essential for network security.


What are Firewalls?

Firewall is a network security device that:

  • Filters traffic: Allows or blocks packets
  • Enforces policies: Implements security rules
  • Protects networks: Prevents unauthorized access
  • Monitors traffic: Logs and alerts on suspicious activity

Types:

  • Packet-filtering firewall: Filters based on headers
  • Stateful firewall: Tracks connection state
  • Application firewall: Filters at application layer

Firewall Rules

Firewall rules define what traffic is allowed or blocked.

Rule format:

Action: ALLOW or DENY
Source: IP address/range
Destination: IP address/range
Protocol: TCP, UDP, ICMP
Port: Port number/range

Example:

ALLOW: 192.168.1.0/24 → 10.0.0.1:80 (TCP)
DENY: 0.0.0.0/0 → 10.0.0.1:22 (TCP)

ACL (Access Control List)

ACL is a list of rules that control access.

Types:

  • Standard ACL: Based on source IP
  • Extended ACL: Based on source, destination, protocol, port

Rule order matters: First match wins


Stateless vs Stateful Firewalls

Stateless Firewall

Filters each packet independently:

Packet 1: Check rules → Allow/Deny
Packet 2: Check rules → Allow/Deny
(No memory of previous packets)

Rules:

ALLOW: 192.168.1.100 → 10.0.0.1:80 (TCP)

Problem: Must allow both directions explicitly

Stateful Firewall

Tracks connection state:

Connection established: Allow return traffic automatically
Packet 1: Outbound → Allow, remember connection
Packet 2: Inbound (response) → Allow (part of connection)

Benefits:

  • Automatic return traffic
  • Better security
  • Connection tracking

Examples

Firewall Rules

TypeScript
Python
Java
1

Stateful Firewall

TypeScript
Python
Java
1

Common Pitfalls

  • Rule order: Wrong order causes issues. Fix: Order rules carefully (specific first, general last)
  • Default deny: Not setting default deny allows unwanted traffic. Fix: Default deny, explicit allow
  • Stateful rules: Not tracking state properly. Fix: Use stateful firewall, track connections
  • Too permissive: Allowing too much. Fix: Principle of least privilege

Interview Questions

Beginner

Q: What is a firewall and how do firewall rules work?

A:

Firewall is a network security device that filters traffic based on rules.

How rules work:

  • Rules define: What traffic is allowed or blocked
  • Rule format: Action, source, destination, protocol, port
  • Rule order: First match wins

Example:

Rule 1: ALLOW 192.168.1.0/24 → 10.0.0.1:80 (TCP)
Rule 2: DENY 0.0.0.0/0 → 10.0.0.1:22 (TCP)
Rule 3: DENY 0.0.0.0/0 → 0.0.0.0/0 (ALL)  # Default deny

Types:

  • Stateless: Filters each packet independently
  • Stateful: Tracks connection state

Benefits:

  • Security: Prevent unauthorized access
  • Control: Control what traffic is allowed
  • Monitoring: Log and alert on suspicious activity

Intermediate

Q: Explain the difference between stateless and stateful firewalls. How does connection tracking work?

A:

Stateless Firewall:

Filters each packet independently:

Packet 1: Check rules → Allow/Deny
Packet 2: Check rules → Allow/Deny
(No memory of previous packets)

Rules:

ALLOW: 192.168.1.100 → 10.0.0.1:80 (TCP)
ALLOW: 10.0.0.1:80 → 192.168.1.100 (TCP)  # Must allow return

Problem: Must allow both directions explicitly

Stateful Firewall:

Tracks connection state:

Connection established: Allow return traffic automatically

How it works:

  1. Outbound packet: Check rules, if allowed, track connection
  2. Inbound packet: Check if part of established connection
  3. Allow automatically: If part of connection

Example:

Outbound: 192.168.1.100:5000 → 10.0.0.1:80
  Check rules → Allow
  Track connection: (192.168.1.100:5000, 10.0.0.1:80)

Inbound: 10.0.0.1:80 → 192.168.1.100:5000
  Check connection table → Part of connection
  Allow automatically (no rule needed)

Benefits:

  • Automatic return traffic: Don't need explicit return rules
  • Better security: Only allow established connections
  • Connection tracking: Know connection state

Senior

Q: Design a firewall system for a large network that handles millions of packets per second. How do you optimize rule matching, implement stateful inspection, and ensure performance?

A:

TypeScript
Python
Java
1

Features:

  1. Rule tree: Fast O(log n) rule matching
  2. Connection tracking: Stateful inspection
  3. Performance: Hardware acceleration, parallel processing

Key Takeaways

Firewall: Network security device that filters traffic

Firewall rules: Define what traffic is allowed/blocked

ACL: Access Control List, list of rules

Stateless: Filters each packet independently

Stateful: Tracks connection state, allows return traffic automatically

Rule order: First match wins, order matters

Best practices: Default deny, specific rules first, use stateful firewall

Keep exploring

Protocols make more sense in sequence. Pick the next topic in the hub when a concept still feels fuzzy.