What Is a Firewall? How It Works

Q: What does a firewall do?

A firewall inspects network traffic and uses a set of rules to decide what to allow and what to block, matching on IP address, port, and protocol. Traffic that does not match an allow rule is dropped. Its purpose is to enforce a policy on what is permitted to connect to your device or network.

Q: What is the difference between a hardware and software firewall?

A software firewall runs on the device it protects, such as the Windows or macOS firewall, and controls that one machine. A hardware firewall is a separate device or a router function that protects every device behind it at the network edge. They are complementary and work well together.

Q: What is a stateful firewall vs a stateless firewall?

A stateless firewall checks each packet in isolation against the rules with no memory of the connection. A stateful firewall tracks active connections, so it can tell that an incoming packet is a legitimate reply to a request you already sent. Stateful inspection is the modern default because it allows return traffic without leaving ports open.

Q: Does a firewall block ports?

Yes. Controlling ports is a core firewall function. A well-configured firewall blocks inbound connections to ports you have not explicitly opened, which is why a scan usually finds most ports closed or filtered. Opening a port for a game or server simply adds a rule that permits traffic to it.

Q: Do I need a firewall if I have a router?

A router gives you partial protection because most include a basic firewall and the NAT they perform blocks unsolicited inbound traffic. But keeping the software firewall on your individual devices enabled is still worthwhile, especially because it protects you on public Wi-Fi where you are not behind your home router.

~/sheets/what-is-a-firewall.md

What a Firewall Does
A firewall is a security barrier that inspects network traffic and decides, by a set of rules, what to allow through and what to block. The rules typically match on source and destination IP address, the port number, and the protocol (TCP or UDP). Anything that does not match an allow rule is dropped. That is the whole job: enforce a policy on what can talk to what.
Firewalls sit at boundaries — between your device and the local network, or between your network and the internet. You can see which ports are reachable on a connection with our Port Scanner, which is exactly the surface a firewall is meant to control.
Stateless vs Stateful Firewalls
A stateless (packet-filtering) firewall judges each packet in isolation against the rules — fast, but with no memory of the conversation. A stateful firewall tracks the state of active connections, so it knows that an incoming packet is a legitimate reply to a request your device already sent, versus an unsolicited connection attempt. Stateful inspection is the modern default because it can allow return traffic without leaving ports permanently open.
Hardware vs Software Firewalls
A software firewall runs on the device it protects — Windows Defender Firewall, the macOS application firewall, or iptables/nftables on Linux — controlling that one machine. A hardware firewall is a separate device (or a function built into your router) that protects every device behind it at the network edge. They are complementary: the router guards the perimeter, the software firewall guards the individual machine even on untrusted networks.
Does a Firewall Block Ports?
Yes — controlling ports is one of a firewall's core functions. By default a well-configured firewall blocks inbound connections to ports you have not explicitly opened, which is why an unsolicited scan of your connection usually finds most ports closed or filtered. When you set up port forwarding or open a port for a game or server, you are adding a firewall rule that permits traffic to that specific port. Check what is currently exposed with the Port Scanner.
Firewall vs Router: Do You Need Both?
Most home routers include a basic firewall, and the NAT they perform also incidentally blocks unsolicited inbound traffic. That covers a lot. But a firewall and a router are not the same thing — NAT hides your devices, a firewall enforces an explicit traffic policy. Keeping the software firewall on your individual devices enabled is still worthwhile, because it protects you on public Wi-Fi where you are not behind your home router at all.
Frequently Asked Questions
What does a firewall do?
A firewall inspects network traffic and uses a set of rules to decide what to allow and what to block, matching on IP address, port, and protocol. Traffic that does not match an allow rule is dropped. Its purpose is to enforce a policy on what is permitted to connect to your device or network.
What is the difference between a hardware and software firewall?
A software firewall runs on the device it protects, such as the Windows or macOS firewall, and controls that one machine. A hardware firewall is a separate device or a router function that protects every device behind it at the network edge. They are complementary and work well together.
What is a stateful firewall vs a stateless firewall?
A stateless firewall checks each packet in isolation against the rules with no memory of the connection. A stateful firewall tracks active connections, so it can tell that an incoming packet is a legitimate reply to a request you already sent. Stateful inspection is the modern default because it allows return traffic without leaving ports open.
Does a firewall block ports?
Yes. Controlling ports is a core firewall function. A well-configured firewall blocks inbound connections to ports you have not explicitly opened, which is why a scan usually finds most ports closed or filtered. Opening a port for a game or server simply adds a rule that permits traffic to it.
Do I need a firewall if I have a router?
A router gives you partial protection because most include a basic firewall and the NAT they perform blocks unsolicited inbound traffic. But keeping the software firewall on your individual devices enabled is still worthwhile, especially because it protects you on public Wi-Fi where you are not behind your home router.
Last updated: April 2026