How a Firewall Works: From Your Router to Nation-State Censorship
Last updated: April 9, 2026
Learn how firewalls actually filter network traffic. We explain packet filtering, stateful inspection, and why the Great Firewall is just a very large firewall with extra tools.
Imagine you receive mail at home. A postal worker stands at your mailbox and inspects every envelope before it enters your house. They can read the sender's address and your address on the outside, and they can decide: this letter goes through, that one does not. Now imagine that same worker remembers who you've been corresponding with, so if a letter arrives from someone you've never contacted before, they can flag it as suspicious. And finally, imagine they open some envelopes and read the actual content inside to decide whether it's safe—not just who sent it, but what it says. That is roughly how firewalls work. They sit between networks and make decisions about which data gets through and which gets blocked.
When most people hear "firewall," they think of a single device. In reality, firewalls exist at multiple layers of your digital life, from your home router to the operating system on your computer to massive systems that nations use to control internet access. Understanding what they do—and what they cannot do—is essential to understanding both internet security and censorship.
What is a firewall, really?
A firewall is a piece of software or hardware that sits at the boundary between two networks and controls which data packets are allowed to cross that boundary. A packet is the basic unit of data sent across the internet—think of it as a small, standardized envelope containing a piece of information and a label with sender and recipient addresses.
At its core, every firewall is a decision engine. It looks at each packet and asks: should this one pass, or should I drop it? The rules it uses to make that decision determine what actually makes it through. A firewall cannot know whether you trust the sender or whether the data inside is malicious just by looking at the packet header—that outer envelope. It can only look at what's written on the outside.
Packet filtering: reading the envelope
The simplest firewalls work by inspecting the metadata on the outside of each packet. This metadata includes the sender's IP address (a unique numerical identifier for computers on the internet, like a home address), the recipient's IP address, and the port (a numbered channel used for a specific service—port 80 for web browsing, port 25 for email, and so on).
A basic firewall rule might say: "Block any packet from IP address 192.168.1.50 trying to reach port 443 on any computer." Port 443 is used for secure web traffic, so this rule would prevent that device from visiting HTTPS websites. Or it might say: "Allow packets from any address to my web server on port 80, but reject all others." This is like a mail screener who says, "Letters are okay, packages are not."
Packet filtering is fast and cheap to run, which is why even small devices do it. Your home router almost certainly contains a basic packet-filtering firewall. But packet filtering is also limited: it knows nothing about the relationship between packets. It cannot tell whether a packet is part of a conversation that started legitimately or a stray packet from an attack.
Stateful inspection: remembering conversations
An improvement on simple packet filtering is called stateful inspection (or stateful firewalling). Instead of treating each packet in isolation, a stateful firewall remembers connections—ongoing conversations between two computers.
Here is the difference: imagine you open a web browser and request a website. Your computer sends out a packet that says, "I am computer A, I want to talk to web server B on port 443." A simple packet filter would check that rule and let it through. But what about the server's reply? The server sends a packet back to your computer. A basic filter might block that return packet because it did not originate from a rule you defined. A stateful firewall, by contrast, remembers that you initiated a conversation with the server, so it automatically allows the server's response to come back. It tracks the state of the conversation—open, closed, waiting—and makes decisions based on that context.
Most modern firewalls, from your home router to enterprise systems, use stateful inspection. It is more effective at preventing certain kinds of attacks because it does not allow unsolicited inbound connections—strangers cannot knock on your door unless you opened the door first. The tradeoff is complexity: a stateful firewall must keep track of many conversations at once, which requires more memory and processing power.
Application-layer firewalls: understanding the message
Both packet filtering and stateful inspection work at relatively low levels of the network stack—they look at addresses and ports, not at the actual content of the message. An application-layer firewall, by contrast, understands the application that is using the network. It can read HTTP requests (the protocol used for web browsing), understand DNS queries (the system that turns domain names into IP addresses), parse email, and so on.
An application-layer firewall can say, "Allow web traffic to port 443, but block any request containing the word 'forbidden' in the URL." It opens the envelope and reads the letter. This is much more powerful—and much more invasive. It can filter based on actual meaning, not just the envelope. However, it is also much slower and requires the firewall to understand every application it wants to inspect. When a new protocol appears or when traffic is encrypted, an application-layer firewall may not know what to do.
Where firewalls live
Your home router contains a firewall. Your computer's operating system (Windows, macOS, Linux) contains a firewall. Large organizations run dedicated firewall devices at the edge of their network. And nation-states like China deploy enormous systems that combine all of these techniques.
The Great Firewall of China is not actually different in kind from your home router's firewall—it is a stateful firewall with DPI (Deep Packet Inspection, a technique that reads packet content) added at an unprecedented scale. It inspects vast amounts of traffic, remembers conversations between millions of computers, and understands the protocols people use. It is essentially the same technology, deployed at the national level.
The limitations of firewalls
Firewalls cannot stop all attacks. They cannot inspect encrypted traffic without breaking encryption. They cannot prevent a user from voluntarily connecting to a malicious website. And they cannot distinguish between legitimate and malicious traffic if an attacker follows all the rules.
Finally, firewalls are not magic. They are tools that enforce rules, and those rules are written by humans. A firewall can only block what its administrators told it to block.
Key takeaway
A firewall is a decision engine that sits between networks and controls which packets pass through. The three main types—packet filtering, stateful inspection, and application-layer filtering—represent a spectrum from simple and fast to complex and powerful. Understanding how they work helps explain both how your home network stays secure and how nations implement censorship. They are the same technology applied at different scales.
Next, you might explore how encryption defeats deep packet inspection, or how DNS filtering works as a different kind of network control.
When most people hear "firewall," they think of a single device. In reality, firewalls exist at multiple layers of your digital life, from your home router to the operating system on your computer to massive systems that nations use to control internet access. Understanding what they do—and what they cannot do—is essential to understanding both internet security and censorship.
What is a firewall, really?
A firewall is a piece of software or hardware that sits at the boundary between two networks and controls which data packets are allowed to cross that boundary. A packet is the basic unit of data sent across the internet—think of it as a small, standardized envelope containing a piece of information and a label with sender and recipient addresses.
At its core, every firewall is a decision engine. It looks at each packet and asks: should this one pass, or should I drop it? The rules it uses to make that decision determine what actually makes it through. A firewall cannot know whether you trust the sender or whether the data inside is malicious just by looking at the packet header—that outer envelope. It can only look at what's written on the outside.
Packet filtering: reading the envelope
The simplest firewalls work by inspecting the metadata on the outside of each packet. This metadata includes the sender's IP address (a unique numerical identifier for computers on the internet, like a home address), the recipient's IP address, and the port (a numbered channel used for a specific service—port 80 for web browsing, port 25 for email, and so on).
A basic firewall rule might say: "Block any packet from IP address 192.168.1.50 trying to reach port 443 on any computer." Port 443 is used for secure web traffic, so this rule would prevent that device from visiting HTTPS websites. Or it might say: "Allow packets from any address to my web server on port 80, but reject all others." This is like a mail screener who says, "Letters are okay, packages are not."
Packet filtering is fast and cheap to run, which is why even small devices do it. Your home router almost certainly contains a basic packet-filtering firewall. But packet filtering is also limited: it knows nothing about the relationship between packets. It cannot tell whether a packet is part of a conversation that started legitimately or a stray packet from an attack.
Stateful inspection: remembering conversations
An improvement on simple packet filtering is called stateful inspection (or stateful firewalling). Instead of treating each packet in isolation, a stateful firewall remembers connections—ongoing conversations between two computers.
Here is the difference: imagine you open a web browser and request a website. Your computer sends out a packet that says, "I am computer A, I want to talk to web server B on port 443." A simple packet filter would check that rule and let it through. But what about the server's reply? The server sends a packet back to your computer. A basic filter might block that return packet because it did not originate from a rule you defined. A stateful firewall, by contrast, remembers that you initiated a conversation with the server, so it automatically allows the server's response to come back. It tracks the state of the conversation—open, closed, waiting—and makes decisions based on that context.
Most modern firewalls, from your home router to enterprise systems, use stateful inspection. It is more effective at preventing certain kinds of attacks because it does not allow unsolicited inbound connections—strangers cannot knock on your door unless you opened the door first. The tradeoff is complexity: a stateful firewall must keep track of many conversations at once, which requires more memory and processing power.
Application-layer firewalls: understanding the message
Both packet filtering and stateful inspection work at relatively low levels of the network stack—they look at addresses and ports, not at the actual content of the message. An application-layer firewall, by contrast, understands the application that is using the network. It can read HTTP requests (the protocol used for web browsing), understand DNS queries (the system that turns domain names into IP addresses), parse email, and so on.
An application-layer firewall can say, "Allow web traffic to port 443, but block any request containing the word 'forbidden' in the URL." It opens the envelope and reads the letter. This is much more powerful—and much more invasive. It can filter based on actual meaning, not just the envelope. However, it is also much slower and requires the firewall to understand every application it wants to inspect. When a new protocol appears or when traffic is encrypted, an application-layer firewall may not know what to do.
Where firewalls live
Your home router contains a firewall. Your computer's operating system (Windows, macOS, Linux) contains a firewall. Large organizations run dedicated firewall devices at the edge of their network. And nation-states like China deploy enormous systems that combine all of these techniques.
The Great Firewall of China is not actually different in kind from your home router's firewall—it is a stateful firewall with DPI (Deep Packet Inspection, a technique that reads packet content) added at an unprecedented scale. It inspects vast amounts of traffic, remembers conversations between millions of computers, and understands the protocols people use. It is essentially the same technology, deployed at the national level.
The limitations of firewalls
Firewalls cannot stop all attacks. They cannot inspect encrypted traffic without breaking encryption. They cannot prevent a user from voluntarily connecting to a malicious website. And they cannot distinguish between legitimate and malicious traffic if an attacker follows all the rules.
Finally, firewalls are not magic. They are tools that enforce rules, and those rules are written by humans. A firewall can only block what its administrators told it to block.
Key takeaway
A firewall is a decision engine that sits between networks and controls which packets pass through. The three main types—packet filtering, stateful inspection, and application-layer filtering—represent a spectrum from simple and fast to complex and powerful. Understanding how they work helps explain both how your home network stays secure and how nations implement censorship. They are the same technology applied at different scales.
Next, you might explore how encryption defeats deep packet inspection, or how DNS filtering works as a different kind of network control.
🛡️
Recommended VPN Services
Top-rated VPNs trusted by millions
N
NordVPN
⭐ REDAKTIONSEMPFEHLUNG
★★★★★ 9.5/10 · 6,000+ servers · Funktioniert in China
$3.39/mo
View Deal →
S
Surfshark
BEST VALUE
★★★★★ 9.6/10 · Unlimited devices
$2.49/mo
View Deal →
E
ExpressVPN
PREMIUM
★★★★★ 9.4/10 · 94 countries
$6.67/mo
View Deal →
Disclosure: SaveClip may earn a commission when you sign up through our links. This helps us keep our tools free for everyone.