Firewall Rule Definition

What is a Firewall Rule?

A firewall is a network security tool that defines a protected boundary. Firewalls can be deployed at the network level — such as the border between a corporate network and the public Internet — or run on an individual computer.

A firewall rule defines the types of traffic that are permitted to flow through that protected boundary. Typically, companies define firewall rules for both inbound and outbound traffic.

How Do Firewall Rules Work?

A firewall works like an access control list (ACL) or the guest list at a party. If you’re on the list of invited guests — or not on the list of banned ones — then you’re allowed into the party or the protected network.

Firewalls inspect packets flowing over the network and determine whether they should be allowed to continue or should be dropped. These decisions can be made based on various factors, including:

• Protocol: Firewalls may only allow certain protocols to enter or leave the network. For example, ICMP is used to report error information and is commonly blocked at network boundaries.
• IP Address: Some firewall rules might restrict the source or destination addresses of inbound or outbound traffic. For example, a network may be only accessible from certain IP addresses, or only certain computers in the network may be publicly accessible. Firewalls can also be used to implement geoblocking by allowing or blocking certain IP ranges.
• Port Numbers: In the TCP and UDP protocols, applications are assigned a particular port, which uniquely identifies traffic to or from them. Firewalls can use port numbers to make certain ports or protocols inaccessible from outside the network and reduce the company’s digital attack surface. For example, an organization may block traffic destined for port 22 to prevent inbound SSH connections (which are used to remotely access a computer’s command line).

Depending on the type of firewall, additional factors may be used to make these decisions. For example, next-generation firewalls (NGFWs) incorporate intrusion detection and prevention system (IDPS) functionality and can identify and block malware, malicious content, or data exfiltration in the payload of a network packet.

Default Drop vs. Accept

Firewall rulesets are commonly defined as a list of independent rules. When the firewall is inspecting a packet, it will work through this list until it finds a rule that matches. At that point, it will perform the action associated with that rule, such as accepting the packet, dropping it, or logging it.

This design means that a firewall ruleset will have a “default” rule at the end of the list that is applied if no other rule fits. The options for this are:

• Drop: A default DROP ruleset will reject any packet that is not explicitly listed on an allowlist of permitted traffic. This approach is more secure because any oversights will result in legitimate traffic being dropped rather than malicious traffic accidentally being let through.
• Accept: A default ACCEPT ruleset allows traffic to go through unless stated otherwise (a blocklist). This approach offers more usability since oversights won’t block legitimate traffic (but will let malicious traffic through).

An organization can define rulesets for both inbound and outbound traffic. Often, rules for outbound traffic are more permissive — because requests theoretically originated from legitimate users inside the organization — while inbound traffic rules are more restrictive.

Conclusion

A firewall rule defines how a firewall should respond to a particular type of traffic (i.e. accepting, dropping, or logging it). These rules are important to a corporate cybersecurity policy because they determine what types of traffic are allowed to enter or leave an organization’s network.