This chapter covers firewall basics as required for CompTIA A+ 220-1101 Objective 2.4. Firewalls are a fundamental network security component that you must understand for the exam, as they appear in several questions about network security and configuration. You will learn what a firewall does, how it filters traffic, the difference between stateful and stateless inspection, and common firewall configurations. This knowledge is essential for identifying and troubleshooting network security issues on the job and for passing the certification exam.
Jump to a section
A firewall is like a highly trained bouncer at a nightclub that has a strict guest list. The bouncer does not know every person by face; instead, he only knows the rules written on his clipboard. When a car arrives (a packet), the bouncer checks the license plate (source IP address and port) and the passenger list (destination IP and port). If the car's details match an entry on the allowed list (allow rule), the bouncer opens the door and lets the car in. If the car does not match any rule, the bouncer denies entry and may even take a photo (log the event). But here is the key: the bouncer also keeps a separate list of people who left the club earlier (outbound connections). When a person who left comes back (return traffic for an outbound connection), the bouncer checks his 'returning guest' list (state table) and lets them in without checking the main guest list. This is stateful inspection. However, if a stranger shows up claiming to be a returning guest but is not on the returning list, the bouncer denies them. That is how a firewall distinguishes between legitimate responses and unsolicited inbound traffic. The bouncer never lets anyone in unless they are either on the permanent guest list (static rule) or are a known returning guest (stateful connection).
What is a Firewall and Why Does It Exist?
A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Its primary purpose is to establish a barrier between a trusted internal network and an untrusted external network, such as the internet. Firewalls exist because without them, any device on the internet could directly access any service on your network, leading to unauthorized access, data breaches, and malware infections. By filtering traffic, firewalls reduce the attack surface and enforce security policies.
How a Firewall Works Internally
A firewall operates by inspecting packets at one or more layers of the OSI model, typically Layer 3 (IP) and Layer 4 (TCP/UDP). Each packet is examined against a set of rules. The firewall extracts key fields from the packet header:
Source IP address
Destination IP address
Source port
Destination port
Protocol (TCP, UDP, ICMP, etc.)
Flags (e.g., SYN, ACK for TCP)
The firewall then compares this information to its rulebase. Rules are processed in order from top to bottom. The first matching rule determines the action: allow, deny, or reject. If no rule matches, the default action (usually deny) is applied. This is called "default deny" — any traffic not explicitly permitted is blocked.
Stateful vs. Stateless Firewalls
Stateless firewalls (packet filters) examine each packet independently without any memory of previous packets. They make decisions based solely on the current packet's headers. For example, a stateless rule might allow inbound traffic to port 80 (HTTP) from any source. However, it cannot distinguish between a legitimate HTTP response to an outbound request and an unsolicited HTTP connection attempt. This makes stateless firewalls vulnerable to spoofing and less efficient for complex policies.
Stateful firewalls maintain a state table (connection table) that tracks the state of active connections. When an internal host initiates an outbound TCP connection, the firewall creates an entry in the state table recording the source IP/port, destination IP/port, and connection state (e.g., SYN_SENT). When the return packet arrives (SYN-ACK), the firewall checks the state table: if it matches an existing entry and has the correct TCP flags, it is allowed through without checking the rulebase. This is much more secure because unsolicited inbound packets that do not correspond to an existing connection are dropped. Stateful firewalls also monitor the state of UDP and ICMP traffic by creating pseudo-state entries. For UDP, the firewall remembers that a packet was sent from an internal host and expects a response from the same external IP/port within a timeout (e.g., 30 seconds). For ICMP, it tracks echo requests and replies.
Key Components, Values, and Defaults
Rulebase: Ordered list of rules. Each rule has a source, destination, service (protocol/port), action, and logging option.
Default policy: Usually "deny all" for both inbound and outbound. Some firewalls default to "allow all" for outbound, but for security, it is best to restrict outbound as well.
State table: Contains entries with five-tuple (source IP, source port, destination IP, destination port, protocol) and connection state. Timers:
TCP established: typically 1 hour (3600 seconds) idle before removal.
TCP closing: 4 minutes (240 seconds) for FIN-WAIT or TIME-WAIT.
UDP: 30 seconds to 2 minutes depending on implementation.
ICMP: 10-30 seconds.
DMZ: A demilitarized zone is a separate network segment that hosts public-facing services (web, email). Firewalls allow inbound traffic from the internet to the DMZ but restrict traffic from the DMZ to the internal LAN.
Port forwarding: Maps an external port to an internal IP and port. For example, port 80 on the firewall's public IP forwards to 192.168.1.10:80. This is often used for hosting services behind a firewall.
Configuration and Verification Commands
On a Linux-based firewall using iptables (common for A+ knowledge):
# Allow inbound SSH from 192.168.1.0/24
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
# Set default policy to drop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Save rules
iptables-save > /etc/iptables/rules.v4On a Cisco router with ACL (Access Control List):
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 deny ip any any
interface GigabitEthernet0/0
ip access-group 100 inOn Windows Firewall (via PowerShell):
New-NetFirewallRule -Name "Allow HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action AllowHow Firewall Interacts with Related Technologies
NAT (Network Address Translation): Often runs on the same device as a firewall. NAT translates private IPs to a public IP for outbound traffic. The firewall's state table must align with NAT translations.
VPN (Virtual Private Network): Firewalls often have VPN capabilities. VPN traffic is encrypted, so the firewall may need to inspect decrypted traffic after VPN termination.
IDS/IPS (Intrusion Detection/Prevention System): Can be integrated with a firewall. While the firewall controls access, IDS/IPS analyzes traffic for malicious patterns.
Proxy servers: Act as intermediaries; firewalls can be configured to force traffic through a proxy.
Packet Arrives at Firewall
A packet arrives at the firewall's ingress interface. The firewall reads the packet's header, extracting the source IP, destination IP, source port, destination port, and protocol. It also examines TCP flags if applicable. The packet is placed in a queue for processing. The firewall's network interface card (NIC) receives the packet and passes it to the kernel's network stack, which then hands it off to the firewall inspection engine.
State Table Lookup
The firewall first checks its state table for an existing connection that matches the packet's five-tuple. For TCP, it also checks the sequence and acknowledgment numbers. If a matching entry is found and the packet is in the correct state (e.g., for an established connection, the SYN flag is not set), the packet is allowed immediately without consulting the rulebase. This is the stateful inspection step that provides performance and security benefits.
Rulebase Processing
If no state table entry matches, the firewall evaluates the packet against its rulebase. Rules are processed in order from top to bottom. For each rule, the firewall checks if the packet's fields match the rule's criteria. The first rule that matches determines the action. If the action is 'allow', the firewall creates a new state table entry (for stateful firewalls) and forwards the packet. If the action is 'deny', the packet is dropped, and optionally logged. If 'reject', an ICMP unreachable packet is sent back.
Default Policy Application
If no rule matches the packet, the firewall applies its default policy. Typically, the default policy is to deny all traffic. In that case, the packet is dropped. Some firewalls have separate default policies for inbound and outbound traffic. For example, outbound might be allowed by default, but inbound is denied. The default policy is the last line of defense. It is crucial to set it correctly to avoid accidental exposure.
Logging and Alerting
If the rule or policy specifies logging, the firewall logs the packet details: timestamp, source/destination IP/port, protocol, and action taken. Logs are stored locally or sent to a syslog server. Administrators review logs to identify attacks or misconfigurations. Some firewalls can trigger alerts (e.g., email, SNMP trap) when certain rules are matched, such as multiple denied packets from the same source, indicating a potential port scan.
Enterprise Scenario 1: Protecting a Corporate LAN
A medium-sized company with 500 employees uses a stateful firewall to protect its internal network from the internet. The firewall is configured with a default deny inbound policy. Outbound traffic is allowed for web (80, 443), DNS (53), and email (25, 587). All other outbound traffic is blocked. The firewall also has a DMZ segment hosting the company's public web server and email server. Inbound traffic to the DMZ is allowed only on ports 80 and 443 for the web server, and port 25 for the email server. The firewall performs NAT to map public IPs to internal DMZ servers. Misconfiguration: An administrator once accidentally allowed inbound port 3389 (RDP) to the entire internal subnet. Within hours, the firewall logs showed repeated connection attempts from external IPs. The mistake was caught by reviewing logs, and the rule was removed. This highlights the importance of logging and periodic rule audits.
Enterprise Scenario 2: Branch Office with Site-to-Site VPN
A company with headquarters and five branch offices uses firewalls with VPN capabilities to create site-to-site IPsec tunnels. Each branch office firewall has a rule that allows traffic from the branch's internal subnet to the headquarters' subnet, encrypted. The firewalls perform stateful inspection on the decrypted traffic. One branch experienced intermittent connectivity because the VPN tunnel kept dropping. The issue was traced to a misconfigured firewall rule that blocked UDP port 500 (ISAKMP) and UDP port 4500 (NAT-T), which are essential for IPsec. After adding allow rules for these ports, the tunnel stabilized. This scenario shows that firewalls must permit VPN control traffic, not just data traffic.
Performance Considerations
In high-throughput environments, stateful firewalls can become a bottleneck because they must maintain state tables for millions of connections. Hardware acceleration (ASICs) or using multiple firewall instances in a cluster can help. Typical state table sizes range from 500,000 to 10 million entries. Timeouts must be tuned: too short causes legitimate connections to drop; too long wastes memory. For example, a web server handling many short-lived connections may benefit from a shorter TCP timeout (e.g., 300 seconds), while a file transfer may need longer (e.g., 7200 seconds). Administrators monitor CPU and memory usage to ensure the firewall can handle the load.
What 220-1101 Tests on Firewall Basics
The CompTIA A+ 220-1101 exam covers firewalls under Objective 2.4 (Compare and contrast networking hardware). Specifically, you need to know:
The purpose of a firewall (block unauthorized access, allow/deny traffic based on rules).
The difference between a hardware firewall (dedicated appliance) and a software firewall (Windows Defender Firewall, iptables).
Basic firewall configuration concepts: allow/deny rules, port numbers, IP addresses.
Stateful vs. stateless inspection (though not by name, but the concept of tracking connection state).
Common firewall ports: 80 (HTTP), 443 (HTTPS), 22 (SSH), 3389 (RDP), 53 (DNS), 25 (SMTP).
Common Wrong Answers and Why Candidates Choose Them
"A firewall prevents all viruses." Many candidates think a firewall is an antivirus. Reality: A firewall does not scan for malware; it only controls traffic. Antivirus software is separate.
"A firewall must be a physical device." Candidates often forget that software firewalls (like Windows Firewall) are common. The exam expects you to know both types.
"A firewall blocks all inbound traffic by default." While default deny inbound is typical, some firewalls allow all inbound unless configured otherwise. The exam may ask about default behavior of specific products (e.g., Windows Firewall blocks inbound by default).
"Port forwarding is used to hide internal IP addresses." That is NAT, not port forwarding. Port forwarding specifically maps external ports to internal hosts.
Numbers, Values, and Terms That Appear on the Exam
Default ports: 80 (HTTP), 443 (HTTPS), 22 (SSH), 3389 (RDP), 23 (Telnet), 21 (FTP).
The term "stateful" may not be used, but the concept of "tracking connection state" is tested.
DMZ: a separate network for public services.
ACL (Access Control List): another name for firewall rules on routers.
Edge Cases and Exceptions
Some firewalls can inspect encrypted traffic if they act as a proxy (SSL inspection). This is beyond A+ scope, but know that firewalls can filter based on application layer data (next-gen firewalls).
Firewalls can be configured to allow traffic based on time of day (scheduling). Not heavily tested, but possible.
The exam may ask about "implicit deny" — the concept that if no rule matches, traffic is denied.
How to Eliminate Wrong Answers
If a question asks about blocking specific traffic, look for answers that mention port numbers or IP addresses. Answers about antivirus or encryption are likely wrong.
If the question involves allowing remote desktop, the answer will involve port 3389.
If the question describes a device that filters traffic based on rules, it is a firewall, not a router or switch.
Remember that firewalls can be software or hardware; do not assume hardware only.
A firewall filters traffic based on IP addresses, ports, and protocols.
Stateful firewalls track connection state; stateless do not.
Default policy is usually deny all inbound.
Common ports: 80 (HTTP), 443 (HTTPS), 22 (SSH), 3389 (RDP).
DMZ is a separate network for public-facing servers.
Port forwarding maps external ports to internal hosts.
Firewalls can be hardware or software.
Logs help detect and troubleshoot security issues.
These come up on the exam all the time. Here's how to tell them apart.
Hardware Firewall
Dedicated physical appliance.
Protects entire network segment.
Higher throughput, typically 1 Gbps+.
More expensive, requires physical installation.
Less flexible for per-device rules.
Software Firewall
Runs as software on a host (e.g., Windows Firewall).
Protects only that host.
Throughput depends on host CPU.
Low cost (often included with OS).
Highly flexible, can be customized per application.
Mistake
A firewall can block all malware from entering the network.
Correct
A firewall filters traffic based on IP addresses, ports, and protocols. It does not inspect the content of packets for malware. Antivirus or IDS/IPS is needed for malware detection.
Mistake
Stateful firewalls are the same as packet filters.
Correct
Packet filters (stateless) examine each packet independently. Stateful firewalls track connection state and allow return traffic automatically. Stateful is more secure.
Mistake
A firewall always blocks all inbound traffic by default.
Correct
While many firewalls have a default deny inbound policy, some may allow all inbound unless rules are added. Always verify the default policy of the specific firewall.
Mistake
Port forwarding and NAT are the same thing.
Correct
NAT translates private IPs to a public IP. Port forwarding is a specific type of NAT that maps an external port to an internal IP and port. They are related but not identical.
Mistake
Software firewalls are less secure than hardware firewalls.
Correct
Both can be secure if properly configured. Hardware firewalls are dedicated and can handle more traffic, but software firewalls provide per-device protection. Security depends on configuration, not form factor.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A stateful firewall tracks the state of active connections and allows return traffic automatically. A stateless firewall examines each packet independently without remembering previous packets. Stateful firewalls are more secure and efficient for most networks.
For a standard web server, open port 80 for HTTP and port 443 for HTTPS. If you need secure management, you might also open port 22 for SSH, but restrict it to specific IPs.
No. A firewall does not scan for viruses. It only controls traffic based on rules. To block viruses, you need antivirus software and possibly an intrusion prevention system (IPS).
A DMZ (demilitarized zone) is a separate network segment that hosts public-facing services like web and email servers. It allows external access to those servers but restricts access from the DMZ to the internal LAN, reducing risk if a server is compromised.
You need to create a rule that allows inbound TCP traffic on port 3389 from the source IPs you want to permit. For security, restrict the source IPs to only those that need access.
Most firewalls have a default deny policy for inbound traffic, meaning any traffic not explicitly allowed is blocked. Outbound traffic may be allowed by default or also denied, depending on the configuration.
A router forwards packets between networks based on IP addresses. A firewall filters traffic based on security rules. Many routers include basic firewall capabilities, but dedicated firewalls offer more advanced filtering and stateful inspection.
You've just covered Firewall Basics for A+ — now see how well it sticks with free 220-1101 practice questions. Full explanations included, no account needed.
Done with this chapter?