What is a firewall?

A firewall stands between your computer and the network it’s on or between your network and the wider internet. It exists to allow specific types of traffic, often identified by the port they use, through and block everything else.

Your local network comprises every device that’s connected to your home router, either via Wi-Fi or a wired Ethernet connection. Every device is assigned an IP address by your router, which uses NAT (Network Address Translation) to direct traffic to and from all those IP addresses to the world via your “outside global IP address” – the address issued to you by your internet service provider.

If you router accepted all traffic, regardless of who it’s from or where it’s going, then anyone from outside would be able to access anything on your network. That’s obviously a terrible idea, so your firewall stands in the way of that.

It won’t let anything out onto the wider internet unless a computer inside your network specifically requests that the connection be made. Anything that you actively want to serve data to the wider internet, such as a web or email server, is assigned to the DMZ (Demilitarized Zone), which sits outside the firewall. More sophisticated deployments may instead place the DMZ behind a different, less restrictive set of firewall rules, separated from the local network.

But what if you do need to allow in traffic from outside? Then you configure the firewall to let it through using a “firewall rule”. You’ll typically do this using the Port Forwarding settings on your firewall.

Certain ports have specific functions that they’re reserved for. Port 80 for web traffic and port 22 for secure shell access, for example.

Others, you’ll have to manually open using your router’s Port Forwarding settings. You tell the router which external, internet-facing port it needs to open and which local device’s IP address it needs to direct any data sent to that port to. You’ll also want to define which port on the local device the traffic goes to, so that it’s directed to the program listening for it.

If you want to be able to use Remote Desktop Protocol (RDP) to connect to a Windows PC inside your network when you’re elsewhere, you’ll need to open port 3389. The default port for a dedicated Minecraft server is 25565.

While you can often assign more or less any port you like (except the reserved ones) to anything, sticking with the defaults has benefits. However, it can also make you more vulnerable to anyone specifically trying to hack into poorly protected examples of services that use those ports. Never use default usernames and passwords for services that you’ll be exposing to the internet.

Your router’s NAT firewall has other features, such as the ability to block outbound traffic if you want to. You an also configure your firewall to allow all traffic from a specific IP address to access parts or all of your network. This can be useful if you need complete access to one network you own from another network you own that has a different IP address.

So that’s your network firewall. It does a great job of keeping you safe, and it’s worth having a decent one so that you get a proper configuration interface with plenty of options. 

Windows also has a robust firewall that’s on by default.

That’s very much a Windows thing. Linux distros and macOS have software firewalls but don’t enable them by default. Instead, if a service on the system isn’t explicitly using (“listening on”) a port, it will be unresponsive to any external attempt to contact it, effectively preventing any unwanted communication or access.

The Windows firewall does more or less the same thing as your network firewall, but it only cares about the PC it’s running on. By default, Windows Firewall on Windows 10 and Windows 11 blocks all inbound connections that don’t match a specific firewall rule 

It’s also a bit more interactive, so if you initiate a connection that uses a certain port, it may ask you if you want to open that port or not, and will add a rule allowing that connection if you say yes. However, it doesn’t always get this right, so you may need to manually open specific firewall ports using the Microsoft Defender Firewall settings.