Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 03. Networking / 08. Firewall

Firewall

Firewalls are one of the most important security technologies in modern networks.


What Is A Firewall?

A firewall is a system that controls network traffic (not to be mistaken with IDS/IPS which will be covered in Blue Teaming classes).

Its job is simple:

Allow Traffic

or

Block Traffic

based on defined rules.

Visualized:

Traffic
    │
    ▼
Firewall
    │
 ┌──┴──┐
 │     │

Allow Block

Why Firewalls Exist

Without a firewall:

Internet
    │
    ▼
Internal Network

Every system could potentially communicate freely.

With a firewall:

Internet
    │
    ▼
Firewall
    │
    ▼
Internal Network

Traffic must satisfy rules before it is permitted.


Basic Example

Suppose a web server hosts a website.

We may allow:

TCP/443
HTTPS

but block:

RDP
SMB
SQL

Visualized:

Internet
     │
     ▼

Firewall

     │

Allowed:
TCP/443

Blocked:
TCP/3389
TCP/445
TCP/1433

Firewall Rules

Rules usually contain conditions such as:

Source
Destination
Protocol
Port
Action

Example:

Allow

Source: Any

Destination: Web Server

Protocol: TCP

Port: 443

Direction

Firewalls often filter:

Inbound Traffic

and

Outbound Traffic

Inbound:

Internet
    ▼
Internal Host

Outbound:

Internal Host
    ▼
Internet

Host Firewalls

Firewalls do not have to be dedicated appliances.

Modern operating systems include built-in firewalls.

Examples:

Windows:

Windows Defender Firewall

Linux:

iptables
nftables
ufw
firewalld

Network Firewalls

Many organizations deploy dedicated Firewall appliances.

Example:

Internet
     │
     ▼

Firewall Appliance

     │
     ▼

Internal Network

Examples:

Palo Alto
Fortinet
Cisco
Check Point
pfSense
OPNsense

These devices often protect entire networks.


Firewalls And Segmentation

Firewalls are frequently used to separate network segments.

Example:

Workstations
    │
    ▼
Firewall
    │
    ▼
Servers

Rule:

Workstations
    ↓
Web Servers

Allowed
Workstations
    ↓
Domain Controllers

Blocked

This limits attacker movement.


Firewalls And DMZs

A DMZ typically relies on firewalls.

Example:

Internet
	│
	▼

Outer Firewall

	│
	▼

DMZ

    │
    ▼

Inner Firewall

    │
    ▼

Internal Network

Compromising a DMZ server does not automatically grant access to internal systems.

Additional firewall rules still exist.


Stateful Firewalls

Modern firewalls are usually:

Stateful

Meaning they track connections.

Example:

Client
     │
     ▼
HTTPS Request

The firewall remembers:

This connection is valid.

and allows the response traffic.


Without state tracking:

Every packet

would need individual evaluation.


Application-Aware Firewalls

Modern enterprise firewalls can inspect applications.

Examples:

HTTP
HTTPS
DNS
SSH
RDP

Instead of only:

IP Address
Port Number

they may evaluate:

Application
User
Content

as well.


Common Misconception

Many beginners assume:

Firewall
=
Complete Security

This is false.

Firewalls are one layer of defense.

They cannot:

  • Fix vulnerable software
  • Prevent stolen credentials
  • Stop every attack
  • Replace secure configuration

They simply control traffic.


Firewalls And Operators

One of the first questions after gaining access is:

What can I reach?

The answer is often determined by:

Firewall Rules

Examples:

Can I reach the Domain Controller?

Can I reach SQL?

Can I reach the Internet?

Can I reach another VLAN?

All may depend on firewall policy.

Operators frequently plan how to bypass Firewalls, usually through techniques in which they attempt to "blend in" with normal or already allowed traffic. This also depends on the application generating the traffic - for example "notepad.exe" generating outbound HTTPS traffic is an egregious red flag.


Operator Notes

Operators frequently plan how to bypass firewalls, usually through techniques that attempt to blend in with normal or already permitted traffic.

Whether traffic appears suspicious often depends on both the application generating it and the environment in which it is observed.

For example, a text editor such as Notepad generating outbound HTTPS traffic would be an egregious anomaly and would likely attract immediate attention.

For this reason, operators often consider not only:

  • Which traffic is allowed
  • Which ports are open

but also:

  • Which applications normally generate that traffic
  • What behavior defenders expect to observe
  • Whether the activity blends into the environment

Modern defenses frequently evaluate behavior and process context in addition to simple network rules.