What is a firewall?
A device or system that permits or denies the transfer of IP data packets through an IP interface, based on pre-defined rules. Firewalls are used to protect individual computers or entire networks from access by hackers and from attack by malware that may be probing for weaknesses within your network or PC. Two fundamentally different types of firewall exist - hardware firewalls and software firewalls. The difference between these is explained below. The rules used by firewalls can be quite complex and firewalls are pre-configured with multiple rules to allow an intelligent decision to be made about the validity of any given data packet. Each rule includes a number of criteria that are used to assess what action should be taken. Typically these criteria include the source IP address of the packet, the destination IP address, the type of packet (e.g. UDP, TCP, ICMP) and the type of service that is trying to be reached (usually defined in terms of destination port number). Additional features which work alongside the basic rules are frequently included by firewall manufacturers to provide enhanced protection to the computers on the LAN. These include Stateful Packet Inspection, SYN flood attack lockout, Denial Of Service lockout and various other more specific protection policies.

Hardware Firewalls
A hardware firewall is a device with at least two ethernet interfaces - one for connection to the "unsafe" public network and another for connection to the protected private network. These are usually labelled WAN and LAN respectively. A hardware firewall will have its own CPU and memory and a dedicated program, stored in non-volatile memory, that runs continuously. This program, generally referred to as firmware, is responsible for inspecting every packet of data trying to pass through from one interface to any other. A hardware firewall will be equipped with some kind of password protected administration interface, usually in the form of dynamic web pages that are viewed using a browser. It is very common for a hardware firewall device to have a number of other network functions built into the same box. For example, it might include an ethernet switch thereby providing multiple sockets for LAN-side connections. It will almost inevitably act as a router and in some cases the adminstration interface allows static routes to be configured. Virtually all hardware firewalls provide Network Address Translation (NAT) to allow many computers on the LAN network to share one IP address on the WAN network. Some include wireless networking to add WiFi functionality on the LAN side. Some can also act as a VPN termination point - very useful if you want to allow remote or mobile users to connect securely to the LAN. Site-to-site VPN capability, when included, allows multiple sites to communicate securely with each other in a way that can be virtually transparent to users.

Software Firewalls
A software firewall is a program that runs in the background on a computer and which inspects packets of data trying to pass in or out through the network interfaces installed in the computer. The firewall is pre-configured with rules that it uses to decide whether data packets should be blocked or allowed through. The rules in a software firewall can include additional parameters beyond those that are usually found in the rules of hardware firewalls because the software firewall has some knowledge about the applications running on the computer. Thus the criteria used to decide if a packet may pass through will often include references to the application that is transmitting or receiving the data as well as the remote IP address, port number and direction of travel of the packets. Some software firewalls can be configured to "trust" particular applications and allow them free access to the Internet or, more likely, to permit access using a particular port but only for a particular group of programs.

NAT: Address Translation
A facility that is normally built into hardware firewalls to allow multiple private IP addresses on the LAN to all share access to the Internet through one public IP address. In addition to providing highly efficient use of IP addresses, NAT also has the advantage that it makes computers on the LAN more secure because they cannot be directly addressed from the Internet. However, this can also be a disadvantage for some services that want to be able to communicate directly to a computer - for example Voice Over IP telephony.