Basic Firewall Rules Explained

A firewall rule is a decision about whether certain traffic should be allowed or blocked.

Rule parts

A basic rule usually includes source, destination, protocol, port, direction, and action. For example, allow TCP port 443 from internal clients to the internet.

The source is where traffic comes from. The destination is where traffic is going. The protocol might be TCP, UDP, or ICMP. The action is usually allow or deny. Direction matters because inbound and outbound traffic can have different risks.

Default deny

A common security approach is to block by default and allow only what is required. This is called least privilege. It reduces unnecessary exposure.

Default deny can feel strict at first, but it makes rules easier to reason about. Instead of asking why something is open, the administrator must intentionally allow only the traffic that has a business or lab purpose.

Beginner example

If a web server should only serve HTTPS, a rule may allow inbound TCP 443 and block other inbound traffic. If SSH is needed, it should be limited to trusted admin IP addresses.

Rule order

Many firewalls process rules from top to bottom. This means rule order can change the result. A broad allow rule placed above a specific deny rule may make the deny rule useless. This is why firewall rules must be reviewed carefully.

Testing rules

After changing a rule, I should test the expected allowed traffic and the expected blocked traffic. A rule is not finished until I verify both sides.

Documentation habit

Every rule should have a reason. I try to write what the rule allows, who needs it, and what would break if it were removed.