What Are Firewall Rules? Ultimate Guide & Best Practices

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Firewall rules are preconfigured, logical computing controls that give a firewall instructions for permitting and blocking network traffic. They help IT and security teams manage the traffic that flows to and from their private network. This includes protecting data from internet threats, but it also means restricting unauthorized traffic attempting to leave your enterprise network. Network admins must configure firewall rules that protect their data and applications from threat actors.

Featured Partners: Cybersecurity Training Software

eSecurity Planet may receive a commission from merchants for referrals from this website

How Firewall Rules Work

IT admins use multiple types of firewall rules to restrict the flow of traffic between your network and external networks. Inbound and outbound rules differ in their intentions, but both protect a business’s private network by preventing malicious traffic from entering it and preventing sensitive data from leaving it. Firewall rules are ordered differently, too, so the network automatically prioritizes the most critical security restrictions and applies those rules above others.

Inbound vs Outbound Rules

Inbound traffic rules prevent certain external traffic from entering your network. It manages inbound web server traffic, the connection requests from remote sources. For example, if an IP address from outside the network attempts to connect to an internal database, an inbound rule that’s configured to block such IP addresses will prevent it.

Inbound rules can be general, configured to identify certain traffic that appears in multiple IP addresses. But they can also be specific, designed to block individual sources like a specific website or user.

Outbound rules restrict the traffic of users within your network, preventing them from accessing certain external systems, websites, or networks deemed unsafe. For example, a business employee on the company network might try to access a website that had previously caused a malware infection on a company computer. Because the IT team created a firewall rule to block that URL, the employee won’t be able to access it.

Outbound rules could potentially also be configured to identify data with sensitive info being transferred outside the network. If a rule is designed to stop files with customer information from being emailed, for example, a user could get a notification when they try to email a CV file with lead data.

Read more about the different types of firewalls, including web application firewalls, cloud firewalls, and UTM.

Order of Firewall Rules

Firewall rules are typically followed in order of restrictiveness. IT or security teams should configure their firewalls so the most important rules are followed first.

In its Firewall Checklist, SANS Institute recommends the following order of rules:

  1. Anti-spoofing filters: Block malicious IP addresses.
  2. User permit rules: For example, allow all traffic to reach the public web server.
  3. Management permit rules: For example, send a Simple Network Management Protocol (SNMP) trap to a network management server.
  4. Noise drops: Disregard undesired traffic earlier in the firewall rulebase to improve firewall functionality.
  5. Deny and alert: Notify systems administrator of potentially malicious traffic.
  6. Deny and log: Record all remaining traffic to be analyzed later.

4 Types of Firewall Rules

The types of firewall rules include access, network address translation, application level gateways, and circuit level gateways. While some seem to serve similar purposes, they may operate at different levels of the Open Systems Interconnection (OSI) model or manage different types of traffic.

Access Rules

Access rules restrict which traffic can reach resources on your network. These encompass both inbound and outbound rules. Access rules within firewalls determine whether traffic from a specific source is permitted to enter the network (inbound). They also determine whether traffic from an internal source is permitted to leave the network (outbound).

Access rules help block known malicious traffic sources. For teams in industries like financial services, healthcare, and government, the more specific the access rule, the better. They can help your data and compliance teams improve your organization’s regulatory compliance stance, too — by limiting access to resources like databases and other storage spaces, you’re better able to track who has access to your company’s sensitive information.

Network Address Translation Rules

Network address translation (NAT) rules use network address translation technology to match unregistered IP addresses with legitimate, registered ones. While transmitting information across a network, packet headers contain network address data. NAT changes that address data so the IP address is then different.

NAT maps multiple internal (private) IP addresses, which can come from multiple devices or transmissions to a single external (public) one. NAT operates at the third layer of the OSI, the network layer, because it deals with IP headers. NAT rules allow your IT and security teams to specify how your private network communicates with public networks like the internet.

Application Level Gateways

Application level gateways are designed to protect your business’s applications. They filter data transmissions based on rules that restrict attempts to connect to applications. Ideally, they block malicious traffic when a threat actor is trying to access an application on the network. They may also be referred to as software- or hardware-level gateways.

Circuit Level Gateways

Circuit level gateways examine IP and TCP communications, determining whether the packets are approved based on the gateway rules and blocking or allowing them accordingly. They manage the handshaking process at the fifth layer of the OSI, the session layer. They only verify the handshake rather than checking the IP address in the data packet.

Simple Firewall Rule Example

If your IT team is hosting an HTTP server (public internet traffic) within their private network, they might configure a firewall rule that does the following:

  • Identify the traffic protocol: HTTP traffic typically uses TCP.
  • Allow the traffic: If traffic is from port 80, it will be permitted.
  • Give a description: The described rule will say something about port forwarding. In this case, traffic from port 80 is permitted within the private network, even though it comes from a public network.

Firewall rules like this are logically configured to allow or drop packets from specific locations and traffic types, giving IT admins more control over their security environment.

6 Best Practices for Firewall Rules

When your teams are developing firewall rules, consider the following configuration and management best practices so your rules make sense and work well together. These include specifying details for firewall rules, managing rules in groups, and making rules readable, sufficiently secure, and collaborative with other rules. Additionally, your team may want to consider applying other security techniques, like network segmentation with granular rules.

Apply Any Important Data to Rules

Firewall rules may include certain information about the firewall rule and its actions so they’re as accurate and detailed as possible. If you’re a network admin, you might need to specify the following details when creating a firewall rule:

  • The applicable networking protocol: These include TCP, UDP, and ICMP.
  • The traffic source: Where did the traffic come from?
  • The destination IP address: Where is the traffic going?
  • The associated action: The type of packet attempting to enter (or exit) the network must have a particular action taken once it’s identified.

Not all networks or systems may require this data, but it can be a helpful organizational tool, especially if your security team is trying to track data sources and protocols over time.

Streamline Rule Management As Much As You Can

Some networking products and applications will allow you to create groups of firewall rules. While streamlining the process of applying rules, groups also improve organization — for example, a network admin can easily view similar rules by expanding a particular group. Depending on the product, they may also be able to apply changes to an entire group of rules instead of configuring each individually.

Groups should have related rules — they have a similar purpose or function or address one specific component of the network, like rules for outbound traffic or rules for endpoints with a particular operating system.

Create Rules with Appropriate Levels of Protection

Tailor your firewall rules to the security needs of your organization. Not all networks will need the same number of rules, and some will be more strict than others. For example, a private network for a hospital, financial services provider, or government agency will need highly restrictive rules, such as thorough blocklists and limited allowlists.

But while all firewalls should protect business data and systems, some won’t need that much protection. You should know your industry’s security and data privacy expectations and that your firewall rules support your compliance requirements.

Make Sure Rules Are Readable

Firewall rule sprawl is entirely possible, especially if you have multiple team members coming in and out of the IT department. If a networking admin creates a set of rules, doesn’t maintain them, and leaves, their replacement may have trouble learning which rules are currently active.

Ensure the rules make sense when other team members, including future ones, view them. They should be ordered logically and grouped when it’s appropriate or possible to do so, and they should be at least somewhat intuitive.

Ensure Rules Interact Well

Make sure all firewall rules work together. Some rules can completely contradict each other, and that will slow down legitimate traffic. Over time, that could detract from the network’s performance. Large enterprises in particular could eventually have major network slowdowns due to contradicting firewall rules.

If you’re an admin, look closely at each rule and ensure you know exactly what it does. If one rule blocks all traffic from port 57, but another rule permits only certain packets from port 57, you’ll run into problems. Instead, tweak or delete rules so they don’t overlap in a contradictory way.

Consider Network Segmentation

Segmenting the network and applying different rules to the network can be beneficial if certain sub-networks need more intensive controls. For instance, you may have your network segmented so a database with sensitive customer information is in a different zone. That zone may have stricter firewall rules because the data needs more protection. This helps protect your confidential data and applications, especially if your business is developing a zero trust strategy.

If your team is looking for network security products, check out our list of network security categories, including network access control, endpoint detection and response, and encryption.

How to Manage Firewall Rules

If you’re a networking, IT, or security admin, manage your firewall rules by ensuring they’re properly documented, follow an appropriate change procedure, and continue to suit your team’s needs.

Document Rules Over Time

Anyone who works on your IT security team should be able to tell very quickly what each of your firewall rules is intended to do by looking at your documentation. At a minimum, you need to keep track of the following data:

  • Purpose: Why the firewall rule exists.
  • Service(s): The applications it affects.
  • User and hardware impact: The users and devices it affects.
  • Date: When the rule was added.
  • Timeline: When temporary rules should expire, if relevant.
  • Creator: The name of the person who added the rule.

Some experts also recommend that you use categories or section titles to group similar rules together. That can be especially helpful when it comes to determining the best order for your rules.

Establish & Follow a Change Procedure for Firewall Configuration

Before you begin changing any of your existing firewall rules, establish a formal procedure that you’ll use for any modifications if you don’t already have such a process. A typical change procedure might include a logically ordered set of processes like the ones below:

  1. Change request: Business users can use this to ask for alterations to the firewall configuration.
  2. Assessment: The firewall team analyzes the risk and determines the best course of action to balance the business users’ needs with security needs.
  3. Testing: Tests ensure that any changes to firewall rules will have the desired effect.
  4. Deployment: The new rule needs to be moved into production after it has been tested.
  5. Validation: Validating configurations ensures the new firewall settings are operating as intended.
  6. Documentation: Changes need to be tracked once they’ve been made.

If you have a small security team, it might be tempting to implement changes less formally. But experts say that following the process strictly can help avoid lapses in security caused by poor firewall configuration.

Consistently Review Rules

Your IT or security teams should regularly examine firewall rules over time, especially if admins are leaving and filling roles often. New network admins may not know what rules already exist and add redundant ones. To avoid firewall rule clutter, take inventory of your existing ones and determine whether they need to be consolidated or deleted. Some might overlap, and some may no longer be relevant and might slow down current processes.

As you begin the process of fine-tuning and optimizing your firewall rules, take the time to revisit your existing rules. You may find that you’re following some rules that were installed by default without anyone really understanding why you have them.

Bottom Line: Configuring Firewall Rules

Before configuring specific rules for your business’s firewall, make sure you study the network and know all your applications well. Which ones need to be protected? Which websites do your employees most frequently access? Are there any internet sources that they should never be able to access? Additionally, how extensive do your team’s allowlists and blocklists need to be?

Firewall rules should be configured intentionally by professionals who know the networking needs of the business. Be wise with your firewall configurations, instead of just creating rules willy-nilly — each should have a specific purpose that you can clearly explain. The more firewall rules are managed, the better they’ll be able to serve your IT department and entire business.

Is your business ramping up its network protection? Read our guide to network security next, which covers network layers, major network security challenges, and launching a career in network security.

Jenna Phipps Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required