What is a Firewall? Explained for Beginners 2026

If you've ever set up a router, installed antivirus software, or taken a networking class, you've heard the word "firewall." But what does it actually do? This guide breaks it down in plain English — no jargon, no fluff.

Bottom line up front: A firewall is a security system that monitors and controls incoming and outgoing network traffic based on a set of rules. Think of it as a bouncer at a club — it decides who gets in and who gets turned away.

What Does a Firewall Actually Do?

Every time your computer sends or receives data over the internet, that data is broken into small packets. A firewall inspects those packets and decides whether to allow them through or block them based on rules set by a network administrator — or in your case, whoever set up your router.

Without a firewall, your computer is exposed to every piece of traffic on the internet — including malicious traffic from hackers, bots, and malware. A firewall acts as the first line of defense between your device and the outside world.

Common misconception: A firewall is not the same as antivirus software. Antivirus deals with malicious files already on your device. A firewall controls what traffic reaches your device in the first place. You need both.

Types of Firewalls Explained

🔹 Packet Filtering Firewall

The most basic type. It inspects each packet individually and checks it against a set of rules — things like IP address, port number, and protocol. Fast and lightweight but can't detect complex attacks. Think of it as checking an ID at the door without looking inside someone's bag.

🔹 Stateful Inspection Firewall

More advanced than packet filtering. It tracks the state of active connections and makes decisions based on context — not just individual packets. This is the standard in most modern firewalls. It's like a bouncer who remembers you came in earlier and knows you're allowed back.

🔹 Application Layer Firewall (Proxy Firewall)

Operates at the application level and can inspect the actual content of traffic — like HTTP requests or FTP commands. Much more thorough but slower. Used by enterprises to inspect web traffic deeply.

🔹 Next-Generation Firewall (NGFW)

The modern standard for enterprise security. Combines stateful inspection with deep packet inspection, intrusion prevention, and application awareness. Tools like Palo Alto, Fortinet, and Cisco Firepower are examples you'll encounter in SOC work.

🔹 Software vs Hardware Firewalls

Software firewalls run on your device (like Windows Defender Firewall). Hardware firewalls are physical devices that sit between your network and the internet — like the firewall built into your home router. Enterprises use both.

How Firewall Rules Work

Firewalls use rules — sometimes called Access Control Lists (ACLs) — to decide what traffic to allow or block. A basic rule might look like this:

Allow all traffic on port 443 (HTTPS — secure web browsing)
Allow all traffic on port 80 (HTTP — regular web browsing)
Block all traffic on port 23 (Telnet — old, insecure protocol)
Block all inbound traffic from a specific IP address
Deny everything else by default

Rules are processed top to bottom. The first rule that matches the traffic wins. This is why rule order matters — a misconfigured rule order is one of the most common firewall mistakes in real environments.

Common Ports You Should Know

Port	Protocol	Usually Allowed?
80	HTTP	Yes
443	HTTPS	Yes
22	SSH	Sometimes (restricted)
21	FTP	Often blocked
23	Telnet	Almost always blocked
3389	RDP	Restricted

Firewalls in the Real World

Here's where you'll encounter firewalls in practice:

Home router — your router has a basic hardware firewall built in that blocks unsolicited inbound traffic
Windows Defender Firewall — software firewall on every Windows machine, controls per-app traffic
Enterprise networks — large organizations use NGFWs like Palo Alto or Fortinet at the network perimeter
Cloud environments — AWS, Azure, and DigitalOcean all have firewall rules you configure for your servers
TryHackMe and CTFs — many rooms involve bypassing or exploiting misconfigured firewalls

Can Firewalls Be Bypassed?

Yes — and understanding how is a core part of cybersecurity. Common bypass techniques include:

Port tunneling — hiding malicious traffic inside allowed ports like 80 or 443
VPNs and proxies — routing traffic through an allowed middleman
Exploiting misconfigurations — overly permissive rules that allow too much traffic
Application layer attacks — attacks that look like legitimate web traffic to basic firewalls

This is exactly why NGFWs with deep packet inspection exist — they can detect malicious traffic even when it's disguised as normal traffic.

Firewalls and Cybersecurity Careers

Understanding firewalls is essential for almost every cybersecurity role. As a SOC Analyst you'll work with firewall logs daily. As a penetration tester you'll look for ways around them. As a network engineer you'll configure and manage them.

On TryHackMe, the Networking fundamentals path covers firewalls in detail and is worth completing early in your learning journey.

Final Thoughts

A firewall is one of the most fundamental concepts in cybersecurity. Whether you're studying for CompTIA Security+, working through TryHackMe rooms, or preparing for a SOC role — understanding how firewalls work, what types exist, and how they can be bypassed is essential knowledge.

Your next step: Open Windows Defender Firewall on your PC and explore the inbound and outbound rules. See what's allowed and what's blocked by default. Hands-on curiosity is how you actually learn this stuff.

Disclosure: Some links on this page may be affiliate links. I may earn a small commission if you sign up through them, at no extra cost to you. I only recommend tools I genuinely think are worth it.