~/root@quiz $ cat guides/firewall-configuration.md

Firewall Configuration

Knowing what a firewall does is one thing. Knowing how the traffic rules themselves are actually built and enforced is where the real skill lives.

Practice with a quiz → ← Back home

The guest list: Access Control Lists

If a firewall is a bouncer at a club, an Access Control List (ACL) is the literal guest list they're checking against. It's a set of ordered rules that say, in effect, "allow this kind of traffic, deny that kind." Every firewall you'll ever configure runs on some version of this idea, whether it's expressed as a GUI checkbox in pfSense or a line of syntax in iptables.

This is also where two philosophies split: default allow (let everything through unless a rule specifically blocks it) versus default deny (block everything unless a rule specifically allows it). Security-minded configurations almost always favor default deny — it's much safer to have to explicitly permit something than to hope you remembered to block everything dangerous. Changing between these two philosophies on an existing system is sometimes called stance modification, and it's a big enough shift that it's rarely done casually.

Remembering the conversation: stateful firewalls

Here's a distinction that trips a lot of students up: a basic firewall just looks at each packet in isolation and checks it against the rule list. A stateful firewall is smarter — it tracks the state of an entire session (an ongoing conversation between two devices) so it can make decisions based on context. For example, it can allow a response packet through automatically because it recognizes that response as part of a conversation your own device started — without needing a separate rule for every possible reply.

This is the same reason you can browse a website without manually configuring a rule for every single request and response — the stateful firewall is quietly keeping track of the whole conversation for you.

One address, many devices: NAT

Network Address Translation (NAT) solves a very practical problem: the internet only gave your home or office a single public IP address, but you've got a phone, a laptop, a smart TV, and who knows what else all needing to get online. NAT works like an apartment building's mailroom — every unit inside has its own private address, but everything going out to the wider world shares the building's single public street address, with the mailroom keeping track of which package belongs to which apartment. That's exactly what your router is doing every time multiple devices in your house use the internet "at the same time."

Spreading the load: balancing and fair queuing

When one server can't handle all the traffic alone, load balancing spreads requests across multiple servers so no single one gets overwhelmed. One common method is round-robin, which simply cycles through the available servers in order — request one goes to server A, request two to server B, request three to server C, and back to A again. It's not the smartest possible strategy (it doesn't account for which server is currently busiest), but it's simple and effective for many situations.

A related idea, fair queuing, makes sure no single user or application can hog all of a network's bandwidth — everyone gets a fair proportional share, the same way a well-run checkout line makes sure one customer with an overflowing cart can't block everyone behind them indefinitely.

When rules get messy: overlap and MTU

Real-world firewall configurations often accumulate dozens or hundreds of rules over time, and overlap — when two rules apply to intersecting traffic ranges — can create confusing or even contradictory behavior. Untangling overlapping rules is a genuinely common (and tedious) part of network administration.

One more practical limit worth knowing: the Maximum Transmission Unit (MTU) is the largest packet size a network can carry without breaking it into smaller pieces (fragmentation). If a packet is too big for the network it's crossing, it either gets fragmented or dropped — which is why MTU mismatches are a classic, if unglamorous, cause of "why is this connection so slow" support tickets.

Ad space

Key takeaways

Quiz: Firewall Configuration →