Topic Overview
Firewall Rules & ACLs
Learn firewall rules and Access Control Lists (ACLs) for network security, packet filtering, and access control.
Firewalls and ACLs (Access Control Lists) control network traffic by allowing or blocking packets based on rules. They are essential for network security.
What are Firewalls?
Firewall is a network security device that:
- Filters traffic: Allows or blocks packets
- Enforces policies: Implements security rules
- Protects networks: Prevents unauthorized access
- Monitors traffic: Logs and alerts on suspicious activity
Types:
- Packet-filtering firewall: Filters based on headers
- Stateful firewall: Tracks connection state
- Application firewall: Filters at application layer
Firewall Rules
Firewall rules define what traffic is allowed or blocked.
Rule format:
Action: ALLOW or DENY
Source: IP address/range
Destination: IP address/range
Protocol: TCP, UDP, ICMP
Port: Port number/range
Example:
ALLOW: 192.168.1.0/24 → 10.0.0.1:80 (TCP)
DENY: 0.0.0.0/0 → 10.0.0.1:22 (TCP)
ACL (Access Control List)
ACL is a list of rules that control access.
Types:
- Standard ACL: Based on source IP
- Extended ACL: Based on source, destination, protocol, port
Rule order matters: First match wins
Stateless vs Stateful Firewalls
Stateless Firewall
Filters each packet independently:
Packet 1: Check rules → Allow/Deny
Packet 2: Check rules → Allow/Deny
(No memory of previous packets)
Rules:
ALLOW: 192.168.1.100 → 10.0.0.1:80 (TCP)
Problem: Must allow both directions explicitly
Stateful Firewall
Tracks connection state:
Connection established: Allow return traffic automatically
Packet 1: Outbound → Allow, remember connection
Packet 2: Inbound (response) → Allow (part of connection)
Benefits:
- Automatic return traffic
- Better security
- Connection tracking
Examples
Firewall Rules
class Firewall:
def __init__(self):
self.rules = []
def add_rule(self, action, source, dest, protocol, port):
"""Add firewall rule"""
rule = {
'action': action, # ALLOW or DENY
'source': source,
'destination': dest,
'protocol': protocol,
'port': port
}
self.rules.append(rule)
def filter_packet(self, packet):
"""Filter packet based on rules"""
# Check rules in order (first match wins)
for rule in self.rules:
if self.matches(packet, rule):
return rule['action'] == 'ALLOW'
# Default: Deny
return False
def matches(self, packet, rule):
"""Check if packet matches rule"""
return (
self.match_ip(packet.source, rule['source']) and
self.match_ip(packet.dest, rule['destination']) and
packet.protocol == rule['protocol'] and
self.match_port(packet.port, rule['port'])
)
Stateful Firewall
class StatefulFirewall:
def __init__(self):
self.rules = []
self.connections = {} # Track connections
def filter_packet(self, packet):
"""Filter with connection tracking"""
# Check if part of existing connection
connection_key = self.get_connection_key(packet)
if connection_key in self.connections:
# Allow (part of established connection)
return True
# Check rules for new connection
if self.matches_rules(packet):
# Allow and track connection
self.connections[connection_key] = {
'state': 'ESTABLISHED',
'timestamp': time.time()
}
return True
return False
def get_connection_key(self, packet):
"""Generate connection key"""
# Use 5-tuple: src_ip, src_port, dst_ip, dst_port, protocol
return (
packet.source,
packet.source_port,
packet.dest,
packet.dest_port,
packet.protocol
)
Common Pitfalls
- Rule order: Wrong order causes issues. Fix: Order rules carefully (specific first, general last)
- Default deny: Not setting default deny allows unwanted traffic. Fix: Default deny, explicit allow
- Stateful rules: Not tracking state properly. Fix: Use stateful firewall, track connections
- Too permissive: Allowing too much. Fix: Principle of least privilege
Interview Questions
Beginner
Q: What is a firewall and how do firewall rules work?
A:
Firewall is a network security device that filters traffic based on rules.
How rules work:
- Rules define: What traffic is allowed or blocked
- Rule format: Action, source, destination, protocol, port
- Rule order: First match wins
Example:
Rule 1: ALLOW 192.168.1.0/24 → 10.0.0.1:80 (TCP)
Rule 2: DENY 0.0.0.0/0 → 10.0.0.1:22 (TCP)
Rule 3: DENY 0.0.0.0/0 → 0.0.0.0/0 (ALL) # Default deny
Types:
- Stateless: Filters each packet independently
- Stateful: Tracks connection state
Benefits:
- Security: Prevent unauthorized access
- Control: Control what traffic is allowed
- Monitoring: Log and alert on suspicious activity
Intermediate
Q: Explain the difference between stateless and stateful firewalls. How does connection tracking work?
A:
Stateless Firewall:
Filters each packet independently:
Packet 1: Check rules → Allow/Deny
Packet 2: Check rules → Allow/Deny
(No memory of previous packets)
Rules:
ALLOW: 192.168.1.100 → 10.0.0.1:80 (TCP)
ALLOW: 10.0.0.1:80 → 192.168.1.100 (TCP) # Must allow return
Problem: Must allow both directions explicitly
Stateful Firewall:
Tracks connection state:
Connection established: Allow return traffic automatically
How it works:
- Outbound packet: Check rules, if allowed, track connection
- Inbound packet: Check if part of established connection
- Allow automatically: If part of connection
Example:
Outbound: 192.168.1.100:5000 → 10.0.0.1:80
Check rules → Allow
Track connection: (192.168.1.100:5000, 10.0.0.1:80)
Inbound: 10.0.0.1:80 → 192.168.1.100:5000
Check connection table → Part of connection
Allow automatically (no rule needed)
Benefits:
- Automatic return traffic: Don't need explicit return rules
- Better security: Only allow established connections
- Connection tracking: Know connection state
Senior
Q: Design a firewall system for a large network that handles millions of packets per second. How do you optimize rule matching, implement stateful inspection, and ensure performance?
A:
class HighPerformanceFirewall {
private ruleEngine: RuleEngine;
private connectionTracker: ConnectionTracker;
private packetProcessor: PacketProcessor;
constructor() {
this.ruleEngine = new RuleEngine();
this.connectionTracker = new ConnectionTracker();
this.packetProcessor = new PacketProcessor();
}
// 1. Optimized Rule Matching
class RuleEngine {
private ruleTree: RuleTree; // Tree structure for fast lookup
async match(packet: Packet): Promise<Rule | null> {
// Use tree structure for O(log n) lookup
return await this.ruleTree.search(packet);
}
buildRuleTree(rules: Rule[]): void {
// Build tree indexed by source IP, dest IP, port
// Fast lookup instead of linear search
}
}
// 2. Stateful Inspection
class ConnectionTracker {
private connections: Map<string, Connection>;
async trackConnection(packet: Packet): Promise<boolean> {
const key = this.getConnectionKey(packet);
// Check if part of existing connection
if (this.connections.has(key)) {
return true; // Allow (established connection)
}
// New connection: Check rules
if (await this.ruleEngine.matches(packet)) {
// Track connection
this.connections.set(key, {
state: 'ESTABLISHED',
timestamp: Date.now()
});
return true;
}
return false;
}
cleanupExpired(): void {
// Remove expired connections
const now = Date.now();
for (const [key, conn] of this.connections.entries()) {
if (now - conn.timestamp > 3600000) { // 1 hour
this.connections.delete(key);
}
}
}
}
// 3. Performance Optimization
optimizePerformance(): void {
// Use hardware acceleration
this.useHardwareAcceleration();
// Parallel processing
this.processPacketsInParallel();
// Cache frequently matched rules
this.cacheRules();
}
}
Features:
- Rule tree: Fast O(log n) rule matching
- Connection tracking: Stateful inspection
- Performance: Hardware acceleration, parallel processing
Key Takeaways
- Firewall: Network security device that filters traffic
- Firewall rules: Define what traffic is allowed/blocked
- ACL: Access Control List, list of rules
- Stateless: Filters each packet independently
- Stateful: Tracks connection state, allows return traffic automatically
- Rule order: First match wins, order matters
- Best practices: Default deny, specific rules first, use stateful firewall