Packet filtering firewall


I read that packet filtering firewall operates at level 3 (network layer). In the description I read that it filters packets based on IP addresses and ports. If it's operating at level 3, how can it filter packets based on source and destination ports ? I think it should operate at level 4.


Posted 2017-09-03T20:43:24.787

A firewall operates at layer 3 upwards - a basic firewall just looks at layers 3 and 4, more advanced ones up to and including the application layer ("third/next generation firewall", "deep inspection", "UTM", depending on vendor).


Posted 2017-09-03T20:43:24.787

Here it is written only network layer.

– Zephyr – 2017-09-03T21:02:23.120

The text seems to be written from the perspective of a stateful firewall, which is second generation. Network layer isn't very up-to-date as practically all current firewalls are at least stateful (inspecting the transport layer and tracking its port states). – Zac67 – 2017-09-03T21:11:28.113

Ok, so stateless firewalls can only see Ip addresses or work at network layer whereas stateful firewall works at transport layer and can examine ports right ? – Zephyr – 2017-09-03T21:14:34.310

Nearly - a stateless firewall may also be examining ports but it doesn't track the port states. This is more or less historical though, I don't think you'd be able to find one. – Zac67 – 2017-09-03T21:19:51.887

Okay, thanks for the reply ! – Zephyr – 2017-09-03T21:21:41.870


Stateful packet filters keep a list of already established connections. A connection will begin with a three way TCP handshake (SYN, SYN-ACK, ACK) and typically end with a two way exchange (FIN, ACK). Stateful is supposed better at detecting faked packets.

Stateless filters don't keep a list. Every packet is processed in isolation, with no regard to the previous packets. Stateless is supposed to be better for processing packets faster.

Here is some more reading material to help you understand the difference between stateful and stateless packet filters.

Yuli Gartner

