Firewall Types & Architecture

Firewalls are the foundational perimeter security control. Understanding different firewall types and their limitations is essential for designing effective network security architectures.

45 min•By Priygop Team•Updated 2026

Firewall Types

Packet Filter (Stateless): Inspects each packet independently against rules (src IP, dst IP, port, protocol). Fast but cannot track connection state. Rule: BLOCK port 23 (Telnet). Limitation: Cannot differentiate SYN from ACK — attackers use ACK scans to bypass
Stateful Inspection: Tracks full connection state (three-way handshake). Only allows return traffic for established connections. Much more secure than stateless — the standard for modern firewalls
Application Layer Gateway (Proxy Firewall): Deep packet inspection — understands application protocols (HTTP, FTP, DNS). Can detect protocol misuse (DNS tunneling, HTTP command injection), inspect SSL traffic (with certificate interception)
Next-Generation Firewall (NGFW): IPS functionality, application identification independent of port (identifies Facebook traffic even on port 443), user identity-aware policies, malware sandboxing, integration with threat intelligence
WAF (Web Application Firewall): Specifically protects web applications — understands HTTP, inspects request body, detects SQL injection, XSS, CSRF. Operates at Layer 7. Can be deployed as hardware, software, or cloud service (Cloudflare, AWS WAF)

Firewall Deployment Zones

# Three-zone firewall architecture (DMZ design)

Internet ←→ [FIREWALL 1] ←→ DMZ ←→ [FIREWALL 2] ←→ Internal Network

DMZ (Demilitarized Zone) contains:
  - Web servers (nginx, Apache) - face the internet
  - API gateway - routes external requests to internal services
  - Mail relay - filters email before delivery to internal mail server
  - Bastion host / Jump server - controlled entry point for admin SSH

Rules (FIREWALL 1 — Internet → DMZ):
  ALLOW: TCP 80, 443 from ANY to Web Servers
  ALLOW: TCP 25 from ANY to Mail Relay
  DENY:  Everything else

Rules (FIREWALL 2 — DMZ → Internal):
  ALLOW: TCP 5432 from App Server (DMZ) to DB Server (Internal) ONLY
  ALLOW: TCP 25 from Mail Relay (DMZ) to Internal Mail Server
  DENY:  DIRECT access from DMZ to any internal service
  DENY:  Any access from DMZ to Management VLAN

Rules (Internal → Internet — Egress filtering):
  ALLOW: TCP 80, 443 (HTTP/HTTPS) through proxy
  ALLOW: UDP 53 to corporate DNS only
  DENY:  Direct outbound connections bypassing proxy

Common Mistakes

Allow-all egress (outbound) rules — attackers use outbound connections for C2 communication; restrict outbound to necessary protocols through a proxy
Not reviewing firewall rules regularly — accumulated rules grow over years; stale rules for decommissioned systems create forgotten attack paths
Treating firewall as the only security layer — modern attacks use allowed ports (HTTPS on 443) to carry malicious traffic; need application-aware controls and monitoring

Tip

Practice Firewall Types Architecture in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.

Diagram

Loading diagram…

The CIA Triad is the foundation of information security

Practice Task

Note

Practice Task — (1) Write a working example of Firewall Types Architecture from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.

Quick Quiz

Common Mistake

Warning

A common mistake with Firewall Types Architecture is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready cybersecurity code.

Key Takeaways

Firewalls are the foundational perimeter security control.
Packet Filter (Stateless): Inspects each packet independently against rules (src IP, dst IP, port, protocol). Fast but cannot track connection state. Rule: BLOCK port 23 (Telnet). Limitation: Cannot differentiate SYN from ACK — attackers use ACK scans to bypass
Stateful Inspection: Tracks full connection state (three-way handshake). Only allows return traffic for established connections. Much more secure than stateless — the standard for modern firewalls
Application Layer Gateway (Proxy Firewall): Deep packet inspection — understands application protocols (HTTP, FTP, DNS). Can detect protocol misuse (DNS tunneling, HTTP command injection), inspect SSL traffic (with certificate interception)

Topics in This Module

Firewall Types

Packet Filter (Stateless): Inspects each packet independently against rules (src IP, dst IP, port, protocol). Fast but cannot track connection state. Rule: BLOCK port 23 (Telnet). Limitation: Cannot differentiate SYN from ACK — attackers use ACK scans to bypass

Stateful Inspection: Tracks full connection state (three-way handshake). Only allows return traffic for established connections. Much more secure than stateless — the standard for modern firewalls

Application Layer Gateway (Proxy Firewall): Deep packet inspection — understands application protocols (HTTP, FTP, DNS). Can detect protocol misuse (DNS tunneling, HTTP command injection), inspect SSL traffic (with certificate interception)

Next-Generation Firewall (NGFW): IPS functionality, application identification independent of port (identifies Facebook traffic even on port 443), user identity-aware policies, malware sandboxing, integration with threat intelligence

WAF (Web Application Firewall): Specifically protects web applications — understands HTTP, inspects request body, detects SQL injection, XSS, CSRF. Operates at Layer 7. Can be deployed as hardware, software, or cloud service (Cloudflare, AWS WAF)

Firewall Deployment Zones

# Three-zone firewall architecture (DMZ design)

Internet ←→ [FIREWALL 1] ←→ DMZ ←→ [FIREWALL 2] ←→ Internal Network

DMZ (Demilitarized Zone) contains:
  - Web servers (nginx, Apache) - face the internet
  - API gateway - routes external requests to internal services
  - Mail relay - filters email before delivery to internal mail server
  - Bastion host / Jump server - controlled entry point for admin SSH

Rules (FIREWALL 1 — Internet → DMZ):
  ALLOW: TCP 80, 443 from ANY to Web Servers
  ALLOW: TCP 25 from ANY to Mail Relay
  DENY:  Everything else

Rules (FIREWALL 2 — DMZ → Internal):
  ALLOW: TCP 5432 from App Server (DMZ) to DB Server (Internal) ONLY
  ALLOW: TCP 25 from Mail Relay (DMZ) to Internal Mail Server
  DENY:  DIRECT access from DMZ to any internal service
  DENY:  Any access from DMZ to Management VLAN

Rules (Internal → Internet — Egress filtering):
  ALLOW: TCP 80, 443 (HTTP/HTTPS) through proxy
  ALLOW: UDP 53 to corporate DNS only
  DENY:  Direct outbound connections bypassing proxy

Common Mistakes

Allow-all egress (outbound) rules — attackers use outbound connections for C2 communication; restrict outbound to necessary protocols through a proxy

Not reviewing firewall rules regularly — accumulated rules grow over years; stale rules for decommissioned systems create forgotten attack paths

Treating firewall as the only security layer — modern attacks use allowed ports (HTTPS on 443) to carry malicious traffic; need application-aware controls and monitoring

Tip

Diagram

Loading diagram…

The CIA Triad is the foundation of information security

Topics in This Module