Firewalls & ACLs — PostPatchClarity Learn

Firewalls & ACLs

Stateful vs stateless, packet filtering, application-layer inspection, and how access control lists actually work — including the rules that catch people out.

Types of Firewalls

Generation 1

Packet Filter (Stateless)

Operates at L3 / L4

The earliest firewall type. Inspects each packet in isolation — source IP, destination IP, source port, destination port, and protocol. There is no memory between packets; each is evaluated independently on its own merits. Rules translate directly to: "allow TCP from 10.0.0.0/8 to any port 443." Fast and deterministic. The core of Cisco ACLs and basic iptables rules. Limitation: can't distinguish a new connection attempt from traffic belonging to an already-established session — you have to explicitly open return ports, which widens the attack surface.

Generation 2

Stateful Inspection Firewall

Operates at L3 / L4 + State Table

Tracks the state of network connections in a state table. A packet is categorized as NEW (new connection), ESTABLISHED (part of a tracked session), or RELATED (associated with a tracked session, e.g. FTP data channel). This allows a rule like "permit ESTABLISHED, RELATED" to allow return traffic without opening arbitrary inbound ports. The state table is what most people mean when they say "firewall." Standard on enterprise perimeter devices (Cisco ASA, pfSense, Windows Firewall with Advanced Security). Limitation: trusts anything that looks like an established session — if an attacker can piggyback on an established connection, the firewall doesn't see a problem.

Generation 3

Application Layer Firewall / WAF

Operates at L7

Understands the content of traffic, not just the headers. Parses HTTP, FTP, DNS, SMTP, and other application protocols. Can detect SQL injection in a URL parameter, an HTTP verb that doesn't belong, a malformed Content-Type header, or data exfiltration disguised as DNS queries. Web Application Firewalls (WAFs) are a specialized form: they sit in front of web apps and enforce application-specific rules. ModSecurity (open source), AWS WAF, Cloudflare WAF, Imperva. Limitation: computationally expensive; encrypted traffic (TLS) must be decrypted for inspection, which requires certificate interception and introduces its own risks.

Generation 4

Next-Generation Firewall (NGFW)

Operates at L3–L7 + Identity + Intelligence

Combines all prior generations plus: integrated IDS/IPS (intrusion detection and prevention), deep packet inspection (DPI), application identification (can identify an application even if it's on an unexpected port or encrypted), user and group identity awareness (integrates with Active Directory), URL filtering with categorization, SSL/TLS inspection, and threat intelligence feeds. Can block Dropbox uploads specifically without blocking all HTTPS. Palo Alto Networks, Fortinet FortiGate, Cisco Firepower. The modern enterprise standard. Limitation: the complexity of configuration is directly proportional to the chance of a misconfiguration creating a gap.

How ACLs Work

Top-Down, First Match Wins

Rules are evaluated from the top down. The first rule that matches a packet terminates evaluation — subsequent rules are not checked. This means rule order is everything. A broad PERMIT any at the top of the list will match every packet before any specific DENY rules below it can fire. Always put specific rules before general ones.

Implicit Deny All

Most ACL implementations have an invisible DENY all at the bottom. If no rule matches, the packet is dropped. This is fail-closed behavior — the safe default. Some platforms (iptables, Cisco) make this explicit with a final rule. Others silently drop. Either way: if you forget to permit something, it won't work. If you forget to deny something, it will.

Direction Matters

ACLs are applied to an interface in a direction: inbound (traffic arriving at the interface) or outbound (traffic leaving). A rule blocking port 22 inbound on a WAN interface blocks SSH from the internet. The same rule inbound on a LAN interface blocks SSH from your internal users. Same rule, completely different effect. Always verify which interface and which direction.

# Example ACL — rule order matters
PERMIT TCP src 203.0.113.5/32 dst 10.0.0.10/32 port 443 # specific allowed host
DENY TCP src any dst 10.0.0.10/32 port 443 # block all others
PERMIT TCP src 10.0.0.0/8 dst any port 80 # internal HTTP egress
PERMIT TCP src 10.0.0.0/8 dst any port 443 # internal HTTPS egress
DENY ANY src any dst any # implicit deny all

ACL Rule Components

Field	Description	Example Values
Action	What to do when this rule matches. PERMIT allows the traffic. DENY silently drops it. REJECT drops it and sends an ICMP unreachable back to the sender. LOG records a match.	PERMIT / DENY / REJECT / DROP
Source IP	The origin address or range. Use the most specific range possible — "any" is the broadest and least secure. Cisco uses wildcard masks instead of CIDR prefix lengths.	10.0.0.0/8 · host 192.168.1.5 · any
Destination IP	Where the traffic is going. In egress rules this is usually an external range; in ingress rules it's usually an internal server.	203.0.113.0/24 · host 10.0.0.10 · any
Protocol	IP protocol number. TCP for connection-oriented traffic, UDP for connectionless, ICMP for ping/traceroute. "IP" or "any" matches all protocols.	TCP (6) · UDP (17) · ICMP (1) · any
Source Port	For TCP/UDP: the sending port. Client source ports are ephemeral (1024–65535) and usually matched with "any" in practice.	any · 1024:65535 · eq 22
Destination Port	The target service port. The most specific and useful field for access control. Use named ports where supported for readability.	443 (HTTPS) · 22 (SSH) · 3389 (RDP) · 53 (DNS)
State	Stateful firewalls only. Whether to match on connection state. ESTABLISHED/RELATED allows return traffic for outbound connections without opening inbound ports.	NEW · ESTABLISHED · RELATED · INVALID
Log	Whether to generate a log entry when this rule matches. Critical for DENY rules — you want visibility into what's being blocked. Integrate with a SIEM for alerting.	log · log-input (includes interface) · none

Rule Design Principles

Best Practice Rules

Default Deny

Start with DENY ALL. Then open only what you need, explicitly and deliberately. This is fail-closed: anything not explicitly permitted is blocked. The alternative — start open and add restrictions — is how misconfigurations happen. Every PERMIT rule you add should be a conscious decision with a documented justification.

Least Privilege

Open only the specific ports, protocols, and source IPs required. Don't permit 0.0.0.0/0 to port 443 if only Cloudflare IPs should reach your web server. Don't permit a management subnet to all internal hosts if it only needs to reach specific servers. Every extra permission is attack surface you're not using and someone else might.

Egress Filtering

Most organizations filter inbound traffic rigorously and largely ignore outbound. Egress filtering stops data exfiltration, C2 callbacks, DNS tunneling, and outbound scanning. Your web servers should not need to initiate outbound connections to random IPs on random ports. Define what your servers legitimately need to reach — and deny everything else outbound. The short list will surprise you.

Log Denied Traffic

Silent drops are invisible. Log at minimum all inbound DENY hits and ship to a SIEM. A spike in denied traffic from a single external IP is a port scan. A burst of denied outbound connections from an internal server is a compromise trying to call home. Denied RDP attempts from the internet are background noise until they're not. You can't detect what you don't log.

Review and Audit Regularly

Firewall rules accumulate over time. Someone opened port 3389 for a contractor three years ago and nobody ever closed it. A rule permitting a decommissioned server's IP range is now allowing a different host that got that IP in DHCP. Schedule quarterly ACL reviews. Remove rules for decommissioned services. Document every rule with a ticket number, date, and owner. If you can't justify a rule, it should be gone.