Firewall

A firewall is a device or piece of software that enforces an access-control policy between networks, deciding which packets may pass and which are dropped. RFC 2647 defines it simply as a system that enforces an access control policy between networks. At its core a packet-filtering firewall is an ordered list of allow and deny rules evaluated against each packet's source, destination, protocol, and port. For anyone self-hosting on the public internet, the firewall is the first and most important line of defense.

Stateful versus stateless filtering

A stateless firewall judges each packet in isolation against the rule set. A stateful firewall, the modern default, tracks the state of active connections, such as TCP streams and UDP flows, and can label them as ESTABLISHED, RELATED, or NEW. This lets you write one rule that permits outbound connections and automatically allows their return traffic, instead of manually opening both directions. On Linux this is implemented by frameworks like nftables and its predecessor iptables.

Ingress, egress, and self-hosting

Firewall policy is directional. Ingress rules govern traffic entering your network, and egress rules govern traffic leaving it; controlling egress is an underused but powerful way to contain a compromised host. A practical sovereign setup pairs a tight firewall with network segmentation, exposing only chosen services and pushing public-facing ones into a DMZ. Even encrypted tunnels and VPN endpoints depend on a correctly scoped firewall to limit which ports the outside world can ever reach.