A firewall rule is a logical statement evaluated top-down. The moment a packet matches a rule, the associated action is taken, and subsequent rules are ignored. Order and precision are everything.
Most stateful firewalls match traffic based on the five-tuple: Source IP, Source Port, Destination IP, Destination Port, and Protocol. Advanced NGFWs add User-ID and App-ID to this matrix.
💡 Pro-tip: Always place your most specific, high-risk drop rules at the very top of the policy. This saves CPU cycles by dropping bad traffic before it hits resource-heavy inspection engines.
# Conceptual Firewall Rule YAML
- action: deny
source: 10.0.0.0/24
destination: any
port: 22
protocol: tcp
log: trueThis rule explicitly blocks the internal subnet from initiating SSH connections externally, logging the attempt for security monitoring.
A shadowed rule is one that can never be hit because a broader rule above it catches the traffic first. These create administrative bloat and hide security gaps. Regular rule audits are required to prune them.
⚠️ Beware of 'ANY' in source or destination fields. A rule allowing 'ANY' to 'ANY' on port 443 effectively bypasses network segmentation for web traffic.
| Component | Example | Risk if Misused |
|---|---|---|
| Source | 192.168.1.0/24 | Broad subnets allow lateral movement |
| Port | ANY | Opens massive attack surface |
| Action | Permit | Implicit trust without inspection |
Verify exercises to earn ★ 160 XP and unlock next lab level.