Firewall Rule Processing: Mermaid Flowchart Diagram

Firewall Rule Processing flowchart diagram

About Source

A firewall processes network traffic by evaluating each packet or connection against an ordered list of rules, permitting or denying traffic based on criteria like source IP, destination IP, port, protocol, and connection state.

Modern firewalls fall into several categories. Stateless (packet filter) firewalls evaluate each packet independently against static rules based on IP headers and port numbers — they are fast but cannot track connection state. Stateful firewalls maintain a connection tracking table, allowing them to permit return traffic for established connections automatically without explicit allow rules. Next-generation firewalls (NGFW) add application-layer inspection, deep packet inspection, and integration with threat intelligence feeds.

Rules are evaluated in order from first to last, and the first matching rule wins. This ordering is critical: placing broad DENY rules before specific ALLOW rules for the same traffic will block legitimate traffic. Most firewall policies end with an implicit DENY ALL rule that blocks everything not explicitly permitted — this is the "default deny" or "allowlist" model, which is more secure than "default permit".

Rule matching criteria: source and destination IP addresses (individual addresses, CIDR ranges, or named groups), source and destination ports (single ports, port ranges, or service names), protocol (TCP, UDP, ICMP), direction (inbound, outbound, or both), and connection state (NEW, ESTABLISHED, RELATED for stateful firewalls).

Cloud providers implement virtual firewalls as Security Groups (AWS, GCP, Azure) which operate statelessly on port/IP rules, and Network ACLs (AWS) which are stateless and evaluated in numbered order. Both have their own rule processing models. See Secure API Gateway for application-layer security and Threat Detection Pipeline for anomaly detection that complements firewall rules.

Frequently asked questions

Firewall rule processing is the sequential evaluation of a packet or connection against an ordered list of rules. Each rule specifies match criteria (source IP, destination port, protocol) and an action (allow or deny). The first matching rule determines the outcome, so rule order is critical.

A stateless firewall evaluates each packet independently against fixed rules and has no memory of prior packets. A stateful firewall tracks connection state in a table, automatically permitting return traffic for established connections. Stateful firewalls are more flexible and require fewer explicit rules for bidirectional traffic.

Default deny means all traffic not explicitly permitted by a rule is blocked. The ruleset ends with an implicit or explicit deny-all rule. This is the safest posture because it requires administrators to consciously allow each traffic type, rather than blocking only known-bad traffic.

mermaid

flowchart TD
    A[Network packet or connection arrives] --> B[Extract packet attributes\nSrc IP, Dst IP, Port, Protocol]
    B --> C[Check connection state table\nIs this part of established connection?]
    C --> D{Established connection?}
    D -- Yes --> E[Permit packet\nStateful allow for return traffic]
    D -- No, new connection --> F[Evaluate Rule 1\nSrc IP in blocked ranges?]
    F --> G{Rule 1 match?}
    G -- Yes, DENY --> H[Block packet\nLog and drop]
    G -- No --> I[Evaluate Rule 2\nDst Port in allowed services?]
    I --> J{Rule 2 match?}
    J -- Yes, ALLOW --> K[Permit packet\nAdd to connection table]
    J -- No --> L[Evaluate Rule 3\nAdmin IP accessing SSH port 22?]
    L --> M{Rule 3 match?}
    M -- Yes, ALLOW --> K
    M -- No --> N[Continue evaluating remaining rules\nin priority order]
    N --> O{Any rule matched?}
    O -- No --> P[Implicit default DENY ALL\nBlock and log]
    K --> Q[Forward packet to destination]
    H --> R[Generate security log event]
    P --> R