Security for Beginners
by Sergey Okinchuk
Defense in DepthLeast Privilege and Segmentation
Topic 34

Firewalls and Filtering

Concept

Every network has a boundary — a line between the outside world and the computers inside. Something has to stand at that line and decide which traffic gets to cross it. Left wide open, a network would let anyone reach anything inside; that is rarely what anyone wants.

The thing standing at that boundary is a firewall — a guard that watches the traffic trying to cross and lets some through while blocking the rest, according to a set of rules. It is one of the oldest and most recognizable defenses there is.

Think of the security desk in the lobby of an office building. Everyone who wants to come in has to pass the desk, and the guard checks each person against a list of who is allowed. A firewall does the same job for network traffic: it checks each connection against its rules and waves it in or turns it away.

A firewall checks each connection against its rules before it can reach the network
Incoming trafficarrives at the edge
Firewall rulesallow or block?
Into the network / rejectedin if allowed, dropped if not

What Does a Firewall Actually Do?

A firewall inspects traffic as it tries to cross a boundary and decides, connection by connection, whether to allow it or block it. The decision is made against rules someone set in advance — not a judgment call made on the spot.

Those rules are about the shape of the traffic, not its meaning. A rule might say which addresses are allowed to connect, or which kinds of connection are permitted — for example, allowing ordinary web traffic but blocking everything else. The firewall matches each connection to the rules and acts accordingly.

So a firewall, in this basic form, is a filter. It does not read what a message says or what a file contains — it looks at where the traffic is coming from, where it is going, and what type it is, then applies the rule that fits. (Some modern firewalls can inspect content more deeply, but even those never make allowed traffic automatically safe.)

Default-Deny: Block Everything, Then Allow a Few Things

There are two ways to write the rules. One is to allow everything and then block the bad things you can think of. The other is to block everything and then allow only the specific things you actually need. The second way is called default-deny, and it is the stronger of the two.

The reason is simple. If you start by blocking everything, you only have to list the few connections you want to permit, and everything you forgot about stays shut by default. If you start by allowing everything, every door you forget to close stays open.

Default-deny shrinks the ways into a network down to a known, small set — a short list of permitted paths instead of an endless list of things to forbid. A smaller set of open doors is a smaller set of doors to watch.

Two ways to write firewall rules — default-deny is the stronger approach
Allow everything, block the bad
All traffic enters by default. You block specific threats as you find them. Forgotten paths stay open.
Default-deny: block everything, allow the few
All traffic is blocked by default. You open only the specific paths you actually need. Forgotten paths stay shut.

Where Do Firewalls Sit?

The most familiar place for a firewall is the edge of a network — the outer boundary, between the inside and the wider internet. That is the security desk in the lobby, checking everyone who comes through the front door.

But a network can have boundaries inside it too. Larger systems are often divided into sections, with firewalls standing between those sections so that traffic moving from one part to another is checked as well — not just traffic arriving from outside.

Firewalls can even sit on a single device, deciding what that one computer will accept. So firewalls are not one fence in one place; they are boundaries at several scales, from the edge of a whole network down to a single machine.

What a Firewall Cannot Stop

Now for the limit, because it shapes everything else. A firewall enforces the rules it was given, and those rules permit whole categories of traffic — like ordinary web and email. Anything harmful that travels inside an allowed category passes straight through, because the firewall was told to let that category in.

A phishing email is the clearest example. It arrives over the same email channel the firewall is configured to allow, so the firewall has no reason to stop it. The trouble is not in the type of traffic; it is in the content riding along inside it, and content is not what a firewall judges.

This is the security desk's blind spot. The guard checks everyone at the entrance against the list, but once someone is legitimately let in, the desk cannot stop them from causing trouble inside. That is exactly why a firewall is one layer of many, not the whole defense — a point the next topics build on directly.

Common Confusions
  • "A firewall blocks viruses and scams." It filters network traffic by rules — which addresses, which kinds of connection. It does not judge a phishing email or a malicious file that rides along inside traffic it is configured to allow.
  • "One firewall at the edge is enough." The edge is only the outer boundary. Modern defense also divides the inside of a network into sections, so a breach in one part does not reach everything — the subject of the next topic.
  • "Allowed traffic is automatically safe." A firewall permits whole categories of traffic, not specific safe messages. Harmful content can still travel within an allowed category, untouched.
Why It Matters
  • The firewall is the most familiar defense there is, and now you know precisely what it does — filter traffic by rules at a boundary — and where its line stops.
  • Knowing what a firewall cannot stop sets up the layers that handle the rest: segmenting the inside of a network and giving each part only the access it needs.

Knowledge Check

What does a firewall use to decide whether a connection is allowed across the boundary?

  • A set of rules about which traffic is permitted
  • Whether the message inside looks suspicious
  • A person who reads each incoming message and judges whether the content looks safe
  • How much the traffic is worth

Why is "default-deny" considered the stronger way to set up a firewall?

  • Everything is blocked unless explicitly allowed, so forgotten things stay shut
  • It allows all traffic first, then blocks problems as they appear
  • It makes the network run faster than other setups
  • It scans the full text of every message crossing the boundary and blocks the ones that contain something suspicious

A phishing email reaches an employee even though the company has a firewall. Why couldn't the firewall stop it?

  • It arrived over an allowed channel, and the firewall doesn't judge content
  • The firewall had stopped checking rules altogether, so every connection was passing through without being inspected
  • Firewalls can read scams but this one missed the wording
  • The email was encrypted so the firewall couldn't see it

You got correct