100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Python

Firewalls Basics

Understand how packet-filtering, stateful, and application-layer firewalls inspect traffic differently to enforce security policy.

Network DevicesIntermediate11 min readJul 8, 2026
Analogies

Introduction

A firewall is a network security device or software component that enforces a policy about which traffic is allowed to enter or leave a network. Firewalls are one of the oldest and most fundamental network security controls, but not all firewalls work the same way. Understanding the different inspection techniques — packet filtering, stateful inspection, and application-layer proxying — helps you choose the right protection for a given scenario and understand its limitations.

🏏

Cricket analogy: A firewall is like the boundary rope umpire deciding what crosses in or out of the ground; but whether he just watches the ball's line (packet filtering), tracks the whole over's context (stateful), or reviews the full shot on replay (application-layer) changes how thorough the decision is.

Explanation

A packet-filtering firewall is stateless: it examines each packet in isolation against a static rule set, typically matching on source/destination IP address, source/destination port, and protocol (TCP/UDP/ICMP). Because it has no memory of prior packets, it cannot tell whether a packet is part of an established, legitimate connection or a spoofed/out-of-context packet; administrators must write rules for both directions of traffic explicitly. It is fast and simple but relatively easy to evade with crafted packets and offers no visibility into the actual content or context of a conversation.

🏏

Cricket analogy: A packet-filtering firewall is like an umpire who checks only the current ball's line and length against a fixed rulebook, with no memory of the previous five balls in the over, so bowlers can craft deliveries that individually pass but form an illegal pattern.

A stateful inspection firewall tracks the state of active connections (such as TCP three-way handshakes and sequence numbers) in a connection table. It automatically permits return traffic that belongs to an already-approved outbound connection, without needing an explicit rule for the reverse direction. This makes rule sets simpler and more secure than pure packet filtering, since packets that do not correspond to a known, legitimate connection state are dropped by default. Stateful firewalls still generally only inspect Layer 3/4 header information (IPs, ports, flags), not the actual application data inside the payload.

🏏

Cricket analogy: A stateful firewall is like a scorer who remembers exactly which over and ball is in progress, automatically allowing the next legitimate delivery in sequence without a fresh rule each time, though he still only tracks the scoreboard numbers, not what's actually said in the huddle.

An application-layer firewall, often implemented as a proxy, operates at Layer 7 and understands specific application protocols such as HTTP, FTP, or DNS. It can inspect the actual content of requests and responses — for example, blocking a specific URL path, filtering based on HTTP headers, detecting SQL injection patterns in a request body, or preventing disallowed file types from being downloaded. Because it terminates and re-establishes connections on behalf of clients (acting as a proxy), it provides the deepest inspection but at the cost of higher latency and more processing overhead than the lower layers.

🏏

Cricket analogy: An application-layer firewall is like a third umpire reviewing full ball-tracking and snicko data before ruling, not just the on-field call, catching a subtle inside edge (like a SQL injection hidden in a request) that a quick glance would miss, though the review takes extra time.

Example

python
# Simplified illustration of three firewall inspection styles

# 1. Packet filtering: stateless, per-packet rule matching
rules = [
    {"src": "any", "dst_port": 443, "protocol": "tcp", "action": "allow"},
    {"src": "any", "dst_port": 23, "protocol": "tcp", "action": "deny"},
]

def packet_filter(packet, rules):
    for rule in rules:
        if rule["dst_port"] == packet.dst_port and rule["protocol"] == packet.protocol:
            return rule["action"]
    return "deny"  # default deny

# 2. Stateful inspection: tracks connections, allows matching return traffic
connection_table = {}

def stateful_check(packet):
    conn_id = (packet.src_ip, packet.src_port, packet.dst_ip, packet.dst_port)
    reverse_id = (packet.dst_ip, packet.dst_port, packet.src_ip, packet.src_port)
    if packet.flags == "SYN" and packet.direction == "outbound":
        connection_table[conn_id] = "established"
        return "allow"
    if reverse_id in connection_table:
        return "allow"  # return traffic for a known connection
    return "deny"

# 3. Application-layer firewall: inspects HTTP content, not just headers
def app_layer_filter(http_request):
    if "/admin" in http_request.url and not http_request.is_authenticated:
        return "deny"
    if "UNION SELECT" in http_request.body.upper():
        return "deny"  # simple SQL injection pattern
    return "allow"

Analysis

The three firewall types trade off performance against depth of inspection. Packet filters are extremely fast because they make a decision per packet with no memory, but they cannot distinguish a legitimate reply packet from a spoofed one and cannot see anything about the application data. Stateful firewalls solve the connection-awareness problem — they know a packet belongs to a real, established session — but by default they still only see IP/port/flag information, not what is inside an HTTP request or an email attachment. Application-layer firewalls close that gap by understanding the protocol itself, enabling them to block malicious content, enforce content policies, or hide internal server details, but this requires terminating the connection and doing real protocol parsing, which adds latency and computational cost. In practice, most modern network security architectures layer these approaches: a stateful firewall handles bulk traffic filtering efficiently, while application-layer inspection (such as a web application firewall) is applied selectively to sensitive traffic like public-facing web applications.

🏏

Cricket analogy: Packet filters are the umpire glancing at each ball's line with no memory, stateful firewalls are the scorer tracking the whole over's legitimate sequence, and application-layer firewalls are the third umpire reviewing full replay; most grounds use fast on-field calls for routine balls and DRS review only for contested ones.

Key Takeaways

  • Packet-filtering firewalls are stateless and match rules per packet on IP/port/protocol only, requiring rules for both directions.
  • Stateful firewalls track connection state and automatically permit return traffic for established, legitimate connections.
  • Application-layer (proxy) firewalls operate at Layer 7 and can inspect actual content like URLs, headers, and payload data.
  • Depth of inspection increases from packet filtering to stateful to application-layer, but so does processing overhead and latency.

Practice what you learned

Was this page helpful?

Topics covered

#Python#ComputerNetworksStudyNotes#ComputerNetworks#FirewallsBasics#Firewalls#Explanation#Example#Analysis#StudyNotes#SkillVeris