Definition
Firewall is the general term for a device or piece of software that enforces an access-control policy between networks, deciding which packets may pass and which are dropped. RFC 2647 defines it simply as a system enforcing an access control policy between networks. At its core, a packet-filtering firewall is an ordered list of allow and deny rules evaluated against each packet's source, destination, protocol, and port — first match wins, and a sane policy ends with "deny everything else." For anyone self-hosting on the public internet, the firewall is the first and most important line of defense, because it decides what the rest of your stack is ever even asked to handle.
Stateful versus stateless filtering
A stateless firewall judges each packet in isolation against the rule set. A stateful firewall — the modern default — tracks the state of active connections, such as TCP streams and UDP flows, classifying packets as NEW, ESTABLISHED, or RELATED. This lets you write one rule that permits outbound connections and automatically allows their return traffic, instead of manually opening both directions and thereby opening far more than intended. On Linux this is implemented by nftables and its predecessor iptables; consumer routers wrap the same ideas in a web interface. Statefulness is why the default posture of a home network — everything outbound allowed, nothing unsolicited inbound — works at all.
Ingress, egress, and self-hosting
Firewall policy is directional. Ingress rules govern traffic entering your network; for a node runner, that means explicitly permitting only the services you mean to expose — a Bitcoin Core node's peer port opened via port forwarding, ports 80/443 to a reverse proxy — and dropping everything else before it reaches any service. Egress rules govern traffic leaving, and controlling egress is the underused half of the discipline: a compromised host that cannot phone home, exfiltrate data, or join a botnet is a contained problem rather than a breach. A practical sovereign setup pairs a tight firewall with network segmentation — miners on their own VLAN, since mining firmware should never be treated as trustworthy on your LAN; public-facing services pushed into a DMZ; management interfaces reachable only from a trusted subnet.
Habits that keep it honest
A firewall is a living policy, not an appliance you configure once. Default-deny in both directions where feasible, add rules narrowly (specific ports to specific hosts), log drops so you can see what is knocking, and re-read the rule list occasionally — stale rules for retired services are how careful networks rot into careless ones. And remember its limits: a firewall filters reachability, not content. A vulnerable service you exposed on purpose is exposed, firewall or not; the firewall's job is making sure that is the only conversation the internet can start with you.
Why miners deserve their own segment
ASIC miners are a textbook argument for internal firewalling. They run vendor firmware you cannot fully audit, on embedded Linux images that may go years without security updates, with web interfaces and APIs never designed for hostile networks — and mining fleets have been targeted by worms and credential scanners for years. Placing miners on their own VLAN with rules that allow them to reach their pool and nothing else — no path to your workstations, your node, or your storage — costs an evening of configuration and removes an entire class of lateral-movement risk. The same treatment suits cameras, printers, and every other appliance whose software you did not build and cannot inspect: connectivity scoped to the job, and not a port more.
Pair the firewall with port forwarding for the doors you open deliberately, a DMZ for services that face the world, and Tor when you want reachability without opening inbound ports at all.
In Simple Terms
Firewall is the general term for a device or piece of software that enforces an access-control policy between networks, deciding which packets may pass and…
