Topic Overview

Firewall Rules & ACLs

Learn firewall rules and Access Control Lists (ACLs) for network security, packet filtering, and access control.

Medium9 min read

Firewalls and ACLs (Access Control Lists) control network traffic by allowing or blocking packets based on rules. They are essential for network security.

What are Firewalls?

Firewall is a network security device that:

  • Filters traffic: Allows or blocks packets
  • Enforces policies: Implements security rules
  • Protects networks: Prevents unauthorized access
  • Monitors traffic: Logs and alerts on suspicious activity

Types:

  • Packet-filtering firewall: Filters based on headers
  • Stateful firewall: Tracks connection state
  • Application firewall: Filters at application layer

Firewall Rules

Firewall rules define what traffic is allowed or blocked.

Rule format:

Action: ALLOW or DENY
Source: IP address/range
Destination: IP address/range
Protocol: TCP, UDP, ICMP
Port: Port number/range

Example:

ALLOW: 192.168.1.0/24 → 10.0.0.1:80 (TCP)
DENY: 0.0.0.0/0 → 10.0.0.1:22 (TCP)

ACL (Access Control List)

ACL is a list of rules that control access.

Types:

  • Standard ACL: Based on source IP
  • Extended ACL: Based on source, destination, protocol, port

Rule order matters: First match wins

Stateless vs Stateful Firewalls

Stateless Firewall

Filters each packet independently:

Packet 1: Check rules → Allow/Deny
Packet 2: Check rules → Allow/Deny
(No memory of previous packets)

Rules:

ALLOW: 192.168.1.100 → 10.0.0.1:80 (TCP)

Problem: Must allow both directions explicitly

Stateful Firewall

Tracks connection state:

Connection established: Allow return traffic automatically
Packet 1: Outbound → Allow, remember connection
Packet 2: Inbound (response) → Allow (part of connection)

Benefits:

  • Automatic return traffic
  • Better security
  • Connection tracking

Examples

Firewall Rules

1interface FirewallRule {
2  action: 'ALLOW' | 'DENY';
3  source: string;
4  destination: string;
5  protocol: string;
6  port: number;
7}
8

9class Firewall {
10  private rules: FirewallRule[] = [];
11  
12  addRule(action: 'ALLOW' | 'DENY', source: string, dest: string, protocol: string, port: number): void {

Stateful Firewall

1interface Connection {
2  state: string;
3  timestamp: number;
4}
5

6class StatefulFirewall {
7  private rules: FirewallRule[] = [];
8  private connections: Map<string, Connection> = new Map(); // Track connections
9  
10  filterPacket(packet: Packet): boolean {
11    // Filter with connection tracking
12    // Check if part of existing connection
13    const connectionKey = this.getConnectionKey(packet);

Common Pitfalls

  • Rule order: Wrong order causes issues. Fix: Order rules carefully (specific first, general last)
  • Default deny: Not setting default deny allows unwanted traffic. Fix: Default deny, explicit allow
  • Stateful rules: Not tracking state properly. Fix: Use stateful firewall, track connections
  • Too permissive: Allowing too much. Fix: Principle of least privilege

Interview Questions

Beginner

Q: What is a firewall and how do firewall rules work?

A:

Firewall is a network security device that filters traffic based on rules.

How rules work:

  • Rules define: What traffic is allowed or blocked
  • Rule format: Action, source, destination, protocol, port
  • Rule order: First match wins

Example:

Rule 1: ALLOW 192.168.1.0/24 → 10.0.0.1:80 (TCP)
Rule 2: DENY 0.0.0.0/0 → 10.0.0.1:22 (TCP)
Rule 3: DENY 0.0.0.0/0 → 0.0.0.0/0 (ALL)  # Default deny

Types:

  • Stateless: Filters each packet independently
  • Stateful: Tracks connection state

Benefits:

  • Security: Prevent unauthorized access
  • Control: Control what traffic is allowed
  • Monitoring: Log and alert on suspicious activity

Intermediate

Q: Explain the difference between stateless and stateful firewalls. How does connection tracking work?

A:

Stateless Firewall:

Filters each packet independently:

Packet 1: Check rules → Allow/Deny
Packet 2: Check rules → Allow/Deny
(No memory of previous packets)

Rules:

ALLOW: 192.168.1.100 → 10.0.0.1:80 (TCP)
ALLOW: 10.0.0.1:80 → 192.168.1.100 (TCP)  # Must allow return

Problem: Must allow both directions explicitly

Stateful Firewall:

Tracks connection state:

Connection established: Allow return traffic automatically

How it works:

  1. Outbound packet: Check rules, if allowed, track connection
  2. Inbound packet: Check if part of established connection
  3. Allow automatically: If part of connection

Example:

Outbound: 192.168.1.100:5000 → 10.0.0.1:80
  Check rules → Allow
  Track connection: (192.168.1.100:5000, 10.0.0.1:80)

Inbound: 10.0.0.1:80 → 192.168.1.100:5000
  Check connection table → Part of connection
  Allow automatically (no rule needed)

Benefits:

  • Automatic return traffic: Don't need explicit return rules
  • Better security: Only allow established connections
  • Connection tracking: Know connection state

Senior

Q: Design a firewall system for a large network that handles millions of packets per second. How do you optimize rule matching, implement stateful inspection, and ensure performance?

A:

1class HighPerformanceFirewall {
2  private ruleEngine: RuleEngine;
3  private connectionTracker: ConnectionTracker;
4  private packetProcessor: PacketProcessor;
5  
6  constructor() {
7    this.ruleEngine = new RuleEngine();
8    this.connectionTracker = new ConnectionTracker();
9    this.packetProcessor = new PacketProcessor();
10  }
11  
12  // 1. Optimized Rule Matching
13  class RuleEngine {
14    private ruleTree: RuleTree; // Tree structure for fast lookup

Features:

  1. Rule tree: Fast O(log n) rule matching
  2. Connection tracking: Stateful inspection
  3. Performance: Hardware acceleration, parallel processing

  • OSI Model (7 Layers) - Firewalls operate at different OSI layers, understanding the model helps configure firewall rules

  • NAT & PAT - Firewalls often implement NAT, understanding NAT helps configure firewall rules

  • Subnetting & CIDR - Firewalls use subnet masks to define network boundaries, understanding subnetting helps configure firewall rules

  • TCP vs UDP - Firewalls filter by protocol, understanding TCP/UDP helps configure firewall rules

  • Load Balancers (L4 vs L7) - Firewalls can function as load balancers, understanding load balancers helps configure firewall behavior

  • Firewall: Network security device that filters traffic

  • Firewall rules: Define what traffic is allowed/blocked

  • ACL: Access Control List, list of rules

  • Stateless: Filters each packet independently

  • Stateful: Tracks connection state, allows return traffic automatically

  • Rule order: First match wins, order matters

  • Best practices: Default deny, specific rules first, use stateful firewall

Key Takeaways

Firewall: Network security device that filters traffic

Firewall rules: Define what traffic is allowed/blocked

ACL: Access Control List, list of rules

Stateless: Filters each packet independently

Stateful: Tracks connection state, allows return traffic automatically

Rule order: First match wins, order matters

Best practices: Default deny, specific rules first, use stateful firewall

Related Topics

OSI Model (7 Layers)

Firewalls operate at different OSI layers, understanding the model helps configure firewall rules

NAT & PAT

Firewalls often implement NAT, understanding NAT helps configure firewall rules

Subnetting & CIDR

Firewalls use subnet masks to define network boundaries, understanding subnetting helps configure firewall rules

TCP vs UDP

Firewalls filter by protocol, understanding TCP/UDP helps configure firewall rules

Load Balancers (L4 vs L7)

Firewalls can function as load balancers, understanding load balancers helps configure firewall behavior

What's next?

Practice this in System Design →Next topic →

About the author

InterviewCrafted helps you master system design with patience. We believe in curiosity-led engineering, reflective writing, and designing systems that make future changes feel calm.

QuizPracticeNext