Firewall Packet Filtering: Mermaid Flowchart

Firewall Packet Filtering flowchart diagram

About Source

A firewall is a network security device (hardware or software) that monitors and controls incoming and outgoing network traffic based on a defined set of security rules, deciding whether to allow or block each packet.

Firewalls are the primary enforcement mechanism for network security policies. Modern firewalls operate in layers, from simple packet filters to full deep packet inspection.

Stateless Packet Filtering: The simplest mode. Each packet is evaluated independently against a ruleset (ACL) based on: source IP, destination IP, protocol (TCP/UDP/ICMP), source port, and destination port. No connection state is maintained. Fast but limited — can't distinguish response traffic from new connections.

Stateful Packet Filtering: The firewall tracks the state of active connections in a connection tracking table. Packets that are part of established or related connections are automatically permitted without matching explicit inbound rules. This allows a single outbound rule to cover both the request and the reply.

Rule Evaluation: Rules are evaluated top-to-bottom, first match wins. A typical ruleset allows specific inbound ports (e.g., TCP 443, TCP 80), permits all established/related traffic, then drops everything else with an implicit deny-all rule.

Application-Layer Inspection: Next-generation firewalls (NGFW) inspect application-layer content — identifying application types, decrypting TLS (using MITM certificates), and enforcing policies at the HTTP, DNS, or protocol level.

Security Groups / Cloud Firewalls: AWS Security Groups, GCP firewall rules, and Azure NSGs are software-defined stateful firewalls applied per network interface. They use the same stateful filtering model: explicitly allow inbound ports; all outbound is permitted by default; return traffic is automatically allowed.

Frequently asked questions

Firewall packet filtering is the process of inspecting network packets against a ruleset and deciding to allow or drop each one based on attributes such as source IP, destination IP, protocol, source port, and destination port. Firewalls enforce security boundaries between network segments and are the primary mechanism for network access control.

Stateless filtering evaluates each packet in isolation against a fixed ruleset — it cannot distinguish a reply packet from a new connection attempt. Stateful filtering tracks active connections in a state table, automatically permitting return traffic for established sessions without explicit rules. Stateful firewalls are the standard for production environments because they are both simpler to configure and more secure.

Rules are evaluated top-to-bottom, with the first matching rule applied. A typical ruleset allows specific inbound ports (e.g., TCP 443, TCP 80), permits established and related traffic, then drops everything else with an implicit deny-all at the bottom. Order matters: a broad permit rule placed above a specific deny rule will override it.

Common mistakes include overly permissive rules (e.g., allowing all TCP rather than specific ports), missing deny-all defaults, blocking ICMP entirely (which breaks PMTUD and traceroute), and not auditing outbound rules — attackers who compromise a host can often exfiltrate data through unrestricted outbound traffic.

Cloud security groups (AWS, GCP, Azure) are stateful software firewalls applied per network interface or instance. Unlike traditional hardware firewalls with complex ACLs, security groups use allow-only rules with an implicit deny-all. They are distributed and enforced at the hypervisor level rather than at a centralized appliance, offering better scalability but less visibility for deep packet inspection.

mermaid

flowchart TD
    Packet([Incoming Packet]) --> Inbound{Inbound or\nOutbound?}

    Inbound -->|Inbound| StateCheck{Connection\nTracking Table:\nEstablished?}
    StateCheck -->|ESTABLISHED or RELATED| Allow1([Allow — return traffic])
    StateCheck -->|NEW connection| RuleCheck{Match firewall\nACL rules\ntop-to-bottom}

    RuleCheck -->|Rule: Allow TCP 443\nfrom any| Allow2([Allow — HTTPS])
    RuleCheck -->|Rule: Allow TCP 22\nfrom 10.0.0.0/8| Allow3([Allow — SSH from LAN])
    RuleCheck -->|Rule: Allow ICMP echo| Allow4([Allow — Ping])
    RuleCheck -->|No rule matched| ImplicitDeny([DROP — implicit deny all])

    Allow2 --> AddState[Add to connection\ntracking table]
    Allow3 --> AddState
    AddState --> Forward([Forward packet\nto destination])

    Inbound -->|Outbound| OutRules{Outbound rules\nevaluation}
    OutRules -->|Allow all outbound| OutAllow([Allow outbound traffic])
    OutRules -->|Block specific port\nor destination| OutDrop([DROP outbound packet])