Listen to this Post
Introduction:
A firewall is often dismissed as a simple “block or allow” device, but modern implementations function as an intelligent decision engine that enforces security policies in real time. By inspecting packets, tracking connection states, and filtering application-layer data, firewalls serve as the critical gatekeeper between internal networks and external threats. This article goes beyond the basics to deliver hands-on commands, configurations, and strategies for traditional, next‑gen, and cloud‑native firewall deployments.
Learning Objectives:
- Understand and implement packet filtering and stateful inspection using Linux iptables/nftables and Windows Defender Firewall.
- Configure application‑layer filtering and intrusion detection integration with open‑source tools like Snort and Suricata.
- Apply cloud‑native firewall rules (AWS Security Groups, Azure NSG) and combine firewalls with Zero Trust principles for hardened security.
- Packet Filtering at the Command Line – IP, Ports, and Protocols
Packet filtering examines headers (source/destination IP, port, protocol) and decides to accept, drop, or reject traffic based on predefined rules. Below are verified commands to implement basic and advanced packet filters on Linux and Windows.
Step‑by‑step guide for Linux (iptables/nftables):
1. View current rules:
`sudo iptables -L -v -n`
- Block all incoming traffic from a specific IP:
`sudo iptables -A INPUT -s 192.168.1.100 -j DROP`
- Allow SSH (port 22) only from a trusted subnet:
`sudo iptables -A INPUT -p tcp –dport 22 -s 10.0.0.0/8 -j ACCEPT`
4. Save rules persistently (Debian/Ubuntu):
`sudo iptables-save > /etc/iptables/rules.v4`
For nftables (modern replacement):
`sudo nft add rule ip filter INPUT ip saddr 192.168.1.100 drop`
Windows (PowerShell as Admin):
- Show current firewall rules:
`Get-NetFirewallRule | Where-Object {$_.Enabled -eq “True”}`
- Block inbound traffic from an IP:
`New-NetFirewallRule -DisplayName “BlockIP” -Direction Inbound -RemoteAddress 192.168.1.100 -Action Block`
– Allow only SSH (port 22) inbound:
`New-NetFirewallRule -DisplayName “AllowSSH” -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow`
2. Stateful Inspection – Tracking Connection States
Stateful firewalls remember active connections and only allow return traffic that matches an established session. This prevents many spoofing attacks.
How it works in Linux (conntrack):
- Install conntrack: `sudo apt install conntrack`
– View active connections: `sudo conntrack -L`
– Drop packets that are not part of an established connection:
`sudo iptables -A INPUT -m state –state INVALID -j DROP`
`sudo iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT`
Windows equivalent:
Windows Defender Firewall with Advanced Security uses “Stateful” filtering by default. To see active connections:
`Get-NetTCPConnection`
To create a rule that only allows traffic for established sessions (implicitly handled), you can configure “Edge traversal” and connection security rules via:
`New-NetFirewallRule -DisplayName “AllowEstablished” -Direction Inbound -Action Allow -Stateful Established`
3. Application Layer Filtering – IDS/IPS Integration
Beyond ports and IPs, next‑gen firewalls (NGFW) inspect payloads, detect anomalies, and block malicious content. Integrate Snort as an open‑source IPS.
Step‑by‑step Snort installation and inline filtering:
1. Install Snort on Ubuntu:
`sudo apt install snort` (configure network interface during setup)
2. Test basic rule: alert on ICMP echo requests:
Add to `/etc/snort/rules/local.rules`:
`alert icmp any any -> $HOME_NET any (msg:”ICMP Ping Detected”; sid:1000001; rev:1;)`
3. Run Snort in packet logger mode:
`sudo snort -dev -l /var/log/snort -h 192.168.1.0/24`
4. For inline IPS mode (requires NFQUEUE):
`sudo iptables -I INPUT -j NFQUEUE –queue-num 0`
`sudo snort -Q -q –daq nfq –daq-var queue=0 -c /etc/snort/snort.conf`
Application filtering on Windows:
Use PowerShell to block specific executables or file hashes:
`New-NetFirewallRule -DisplayName “BlockMalware” -Direction Outbound -Program “C:\path\malware.exe” -Action Block`
For URL filtering, integrate with Windows Defender Application Control (WDAC) or use a third‑party NGFW.
4. Firewall Logging and Monitoring – Detecting Anomalies
Logging reveals dropped packets, connection attempts, and potential attacks.
Linux (iptables logging):
- Log dropped packets:
`sudo iptables -A INPUT -j LOG –log-prefix “DROP: ” –log-level 4`
– View logs: `sudo journalctl -k -g “DROP:”` or `sudo tail -f /var/log/kern.log`
Windows enable logging:
- Via GUI: Windows Defender Firewall → Advanced Settings → Windows Firewall Properties → Public Profile → Logging → Customize → Log dropped packets.
- Via PowerShell:
`Set-NetFirewallProfile -Profile Public -LogFileName “C:\Windows\System32\LogFiles\Firewall\pfirewall.log” -LogAllowed False -LogBlocked True`
– Monitor log: `Get-Content “C:\Windows\System32\LogFiles\Firewall\pfirewall.log” -Wait`
5. Testing Firewall Rules – Simulating Attacks
Verify your firewall’s effectiveness with port scanning and connectivity tests.
Use nmap (Linux/Windows):
- Scan for open ports: `nmap -sS -p 1-1000 192.168.1.1`
– Firewall detection (ACK scan): `nmap -sA 192.168.1.1`
– Bypass basic filtering (fragmentation): `nmap -f 192.168.1.1`
Manual tests:
- Telnet to check if a port responds: `telnet 192.168.1.1 80`
– Curl with source IP spoofing (not reliable for real firewalls test but for rule validation):
`curl –interface eth0:1 http://target` - Windows Test-NetConnection: `Test-NetConnection -Port 80 192.168.1.1`
- Cloud Native Firewalls – AWS Security Groups and Azure NSG
Cloud firewalls are software‑defined, stateful (for SGs), and integrate with orchestration.
AWS Security Group (stateful) example:
- Allow SSH from your IP only:
`aws ec2 authorize-security-group-ingress –group-id sg-12345678 –protocol tcp –port 22 –cidr YOUR_PUBLIC_IP/32`
– Deny all other inbound (default). - List rules: `aws ec2 describe-security-groups –group-ids sg-12345678`
Azure Network Security Group (stateless for some rules, but stateful for TCP by default):
- Create NSG rule (CLI):
`az network nsg rule create –nsg-name MyNSG –name AllowHTTP –protocol tcp –priority 100 –destination-port-ranges 80 –access Allow`
– Logging: `az network nsg flow-log show –nsg-name MyNSG`Hardening tip: Always combine cloud firewalls with Web Application Firewalls (WAF) and Cloud Armor (GCP) for layer 7 protection.
- Zero Trust and Firewalls – Micro‑segmentation with nftables
Zero Trust assumes no implicit trust – firewalls must enforce per‑workload rules.
Linux micro‑segmentation using nftables (e.g., isolate web server from DB):
1. Create tables for different zones:
`sudo nft add table inet zone_web`
`sudo nft add chain inet zone_web input { type filter hook input priority 0; }`
2. Allow web server (10.0.0.2) to talk to DB (10.0.0.3) only on port 3306:
`sudo nft add rule inet zone_web input ip saddr 10.0.0.2 ip daddr 10.0.0.3 tcp dport 3306 accept`
`sudo nft add rule inet zone_web input drop`
3. All other traffic is dropped.
Windows equivalent: Use Hyper‑V virtual switches with port ACLs or built‑in compartmentalization via “Windows Firewall with Advanced Security” and different profiles.
What Undercode Say:
- Firewalls are decision engines, not walls – Their real power lies in rule logic, state tracking, and application awareness.
- Combining traditional firewall with Zero Trust – Micro‑segmentation and logging transform a basic firewall into a compliance and threat‑hunting tool.
- Cloud‑native rules are ephemeral but powerful – Infrastructure‑as‑code (Terraform, AWS CLI) makes firewall management auditable and repeatable.
Analysis: Modern firewalls have evolved from simple packet filters to converged IPS/IDS platforms. However, many organizations still misconfigure or ignore logs. The commands above bridge the gap between theory (stateful inspection, application filtering) and practice – enabling engineers to build, test, and monitor real firewall rules. As attacks shift to encrypted channels (HTTPS), combining firewalls with TLS inspection proxies and endpoint detection becomes mandatory. The future lies in AI‑driven anomaly detection built into NGFWs, but the fundamentals of IPtables/nftables remain essential for any cybersecurity professional.
Prediction:
Within three years, most traditional port‑based firewalls will be replaced by cloud‑native, API‑driven, identity‑aware security groups that dynamically adjust based on user behavior and threat intelligence. However, open‑source tools like nftables and Snort will remain critical for on‑prem, air‑gapped, and edge environments. The firewall’s role will shift from perimeter gatekeeper to enforcement point inside a Zero Trust mesh – but the core concepts of packet filtering and stateful inspection will never become obsolete.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecurity Firewall – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


