HomeNetwork Security in 5 DaysDay 1
Day 1 of 5
⏱ ~60 minutes
Network Security in 5 Days — Day 1

Firewalls & Perimeter Defense

Firewalls are the first line of defense for every network. Today you learn stateful packet filtering, next-generation firewall features, rule design principles, and how to audit firewall configurations for common weaknesses.

Stateful vs. Stateless Firewalls

Stateless firewalls filter packets based on headers alone (IP, port, protocol) — fast but easily fooled by packet fragmentation. Stateful firewalls track connection state: they know the difference between a legitimate TCP reply and an unsolicited inbound packet. All enterprise-grade firewalls are stateful. Next-Generation Firewalls (NGFW) add application-layer inspection, user identity, and threat intelligence feeds.

Firewall Rule Design

Rules are evaluated top-to-bottom and stop at the first match. Best practices: default-deny (block everything, explicitly allow what's needed), least privilege (restrict source/destination to the minimum required), log denies (alerts on blocked traffic), and explicit deny-all at the bottom. Never allow 'any any any' rules — attackers love those.

Network Zones and Segmentation

Divide networks into security zones: Internet (untrusted), DMZ (public-facing services), Internal (employee workstations), and Restricted (servers, databases). Traffic between zones must pass through firewall inspection. A DMZ prevents an attacker who compromises a web server from directly reaching internal systems.

bash
# Linux iptables rules (stateful)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP  # Default deny

# nftables (modern Linux firewall)
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
nft add rule inet filter input ct state established,related accept
nft add rule inet filter input tcp dport 22 ip saddr 192.168.1.0/24 accept

# View current iptables rules
iptables -L -n -v --line-numbers

# Save and restore rules
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
💡
Always test firewall rules from outside the network. What looks correct from inside may behave differently when traffic traverses NAT or multiple hops.
📝 Day 1 Exercise
Build a Firewall Rule Set
  1. Set up a Linux VM and install iptables-persistent
  2. Create a default-deny policy for all three chains (INPUT, OUTPUT, FORWARD)
  3. Allow established/related connections so existing sessions work
  4. Allow SSH from 192.168.1.0/24 only, HTTP from anywhere, deny everything else
  5. Use nmap from another VM to verify only the allowed ports are accessible

Day 1 Summary

  • Stateful firewalls track connection state, not just packet headers
  • Rules are evaluated top-to-bottom — order matters critically
  • Default-deny is the baseline; explicitly allow only what is needed
  • Network zones (Internet/DMZ/Internal) limit blast radius of compromises
  • Log all denied traffic — blocked connections are security intelligence
Challenge

Audit a UFW firewall configuration on a test Ubuntu VM. Find and document any overly permissive rules, then write a corrected rule set with justification for each change.

Next →
Day 2: IDS/IPS and Network Monitoring
Finished this lesson?