What is a Firewall?

A firewall is a network security system that monitors all incoming and outgoing traffic and applies a set of rules to determine what passes through and what gets blocked. The concept dates back to the late 1980s, when the first network firewalls were developed in response to growing internet security threats. Today, every home network has at least one firewall built into the router, protecting all connected devices from unwanted access.

The name comes from the physical firewall in a building: a barrier designed to prevent fire from spreading. A network firewall serves the same purpose for data. It sits at the boundary between a trusted internal network and an untrusted external network (the internet), preventing malicious traffic from reaching your devices.

How Your Router Firewall Works

Your router provides the first line of defence for your home network. The firewall functionality is built into the router’s firmware and operates continuously without any input from you. By default, the router blocks all unsolicited incoming connections and only allows responses to requests that your devices initiated.

This default behaviour relies on NAT (Network Address Translation). Because every device on your LAN uses a private IP address that is invisible to the internet, external devices have no way to directly address your laptop, phone, or smart TV. The router only forwards incoming traffic when it matches an outbound request from one of your devices.

NAT alone provides a solid baseline of protection, but it is not technically a firewall. True firewall functionality comes from packet filtering rules that the router applies on top of NAT. These rules examine packet headers and decide whether to allow, drop, or reject each packet based on criteria like source address, destination port, and protocol type.

Most router admin panels have a firewall or security section where you can adjust these settings. Common options include enabling or disabling the firewall entirely, blocking specific ports, setting up access control lists, and enabling DMZ (Demilitarized Zone) mode for a specific device.

Stateful Packet Inspection (SPI)

SPI (Stateful Packet Inspection) is the firewall technology built into most modern routers. It goes beyond simple packet filtering by keeping track of the state of every active network connection.

A simple packet filter examines each packet in isolation. It checks the source, destination, and port number against a static list of rules. This approach has a weakness: it cannot tell the difference between a legitimate response to a request you made and a crafted packet designed to look like one.

SPI solves this by maintaining a state table. When your computer sends a request to a web server, the SPI firewall records the connection details: source port, destination port, source IP, destination IP, and the expected response parameters. When a response packet arrives, the firewall checks it against the state table. If the packet matches an active connection, it passes through. If it does not match any known connection, it gets dropped.

This connection-tracking approach blocks a wide range of attacks. Port scanning, unsolicited probes, and spoofed packets all fail because they do not correspond to any entry in the state table. SPI provides strong protection with minimal configuration required from the user.

Packet Filtering Basics

Packet filtering is the simplest form of firewalling and the foundation on which more advanced techniques build. Every firewall, including SPI firewalls, uses packet filtering rules at its core.

A packet filter inspects the header of each network packet and compares it against a set of rules. The header contains information such as the source IP address, destination IP address, protocol (TCP, UDP, ICMP), and port numbers. Based on these fields, the firewall applies one of three actions: allow the packet through, drop it silently, or reject it with an error message back to the sender.

Rules are processed in order, from top to bottom. The first rule that matches a packet determines its fate. At the end of the rule list, a default policy applies to any packet that did not match a specific rule. Most firewalls use a “default deny” policy for incoming traffic (block everything unless a rule says otherwise) and a “default allow” policy for outgoing traffic (allow everything unless a rule says otherwise).

Port forwarding is an example of adding an allow rule to the firewall. When you set up port forwarding on your router, you are telling the firewall to let incoming traffic on a specific port through to a specific device on the LAN. This is why port forwarding can be a security risk if misconfigured: you are punching a hole in the firewall.

Software vs Hardware Firewalls

Firewalls come in two forms, and a well-protected network uses both.

A hardware firewall is a dedicated device (or built-in feature of a device like your router) that filters traffic for an entire network. Your router’s firewall protects every device connected to it. The filtering happens before traffic reaches any individual device. Hardware firewalls are always on, operate independently of any computer’s operating system, and cannot be disabled by malware running on a local machine.

A software firewall runs as a program on an individual computer or device. Windows Firewall, macOS Application Firewall, and Linux iptables/nftables are all software firewalls. They protect only the device they are installed on. Software firewalls can control traffic at the application level, something hardware firewalls typically cannot do. For example, Windows Firewall can block a specific program from accessing the internet while allowing all others.

The two types complement each other. The router hardware firewall blocks threats from the internet before they reach any device. The software firewall on your computer blocks threats that originate inside the LAN, such as an infected smart TV trying to probe other devices, or a rogue application trying to phone home.

Disabling either firewall weakens your security posture. Keep both enabled at all times unless you have a specific, temporary reason to disable one for troubleshooting.

When to Adjust Firewall Settings

Most home users never need to touch their router’s firewall settings. The defaults are sensible: block inbound, allow outbound, use SPI. However, certain situations require adjustments.

Port forwarding is the most common reason to modify firewall rules. If you host a game server, run a security camera accessible from outside your network, or use remote desktop software, you need to open specific ports in the firewall and direct that traffic to the correct device on your LAN.

VPN passthrough may need to be enabled if you use a VPN client on a device behind the router. Some older routers block VPN protocols (especially IPsec or PPTP) by default. Look for a VPN passthrough option in the firewall settings if your VPN connection fails.

DMZ mode places one device completely outside the firewall’s protection. All incoming traffic from the internet is forwarded to the DMZ device. This is sometimes used for game consoles or servers that need unrestricted inbound access. It is a significant security risk and should only be used when port forwarding cannot accomplish the same goal.

Application-level gateways (ALG) help certain protocols like SIP (used for VoIP), FTP, and H.323 work through NAT. If your VoIP phone has one-way audio or FTP transfers fail, enabling the appropriate ALG in the firewall settings often resolves the issue.

Firewall Limitations

A firewall is essential but not sufficient. Router firewalls protect the network perimeter, but they cannot inspect encrypted traffic, detect malware inside allowed connections, or prevent users from visiting malicious websites.

If you click a phishing link and enter your password, the firewall did its job perfectly: it allowed the outbound connection you initiated. The firewall cannot judge the content of your decisions. Similarly, if malware arrives inside an encrypted HTTPS connection, the router firewall cannot see it.

This is why firewalls are one layer in a broader security strategy that includes strong passwords, updated firmware, endpoint security software, and good browsing habits. No single defence handles every threat.