Firewalls are categorized as a network-based or a host-based system. Network-based firewalls are positioned between two or more networks, typically between the local area network (LAN) and wide area network (WAN), their basic function being to control the flow of data between connected networks. They are either a software appliance running on general-purpose hardware, a hardware appliance running on special-purpose hardware, or a virtual appliance running on a virtual host controlled by a hypervisor. Firewall appliances may also offer non-firewall functionality, such as DHCP or VPN services. Host-based firewalls are deployed directly on the host itself to control network traffic or other computing resources. This can be a daemon or service as a part of the operating system or an agent application for protection.
The first reported type of network firewall is called a packet filter, which inspects packets transferred between computers. The firewall maintains an access-control list which dictates what packets will be looked at and what action should be applied, if any, with the default action set to silent discard. Three basic actions regarding the packet consist of a silent discard, discard with Internet Control Message Protocol or TCP reset response to the sender, and forward to the next hop. Packets may be filtered by source and destination IP addresses, protocol, or source and destination ports. The bulk of Internet communication in 20th and early 21st century used either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) in conjunction with well-known ports, enabling firewalls of that era to distinguish between specific types of traffic such as web browsing, remote printing, email transmission, and file transfers.

The first paper published on firewall technology was in 1987 when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin continued their research in packet filtering and developed a working model for their own company based on their original first-generation architecture. In 1992, Steven McCanne and Van Jacobson released a paper on BSD Packet Filter (BPF) while at Lawrence Berkeley Laboratory.
From 1989–1990, three colleagues from AT&T Bell Laboratories, Dave Presotto, Janardan Sharma, and Kshitij Nigam, developed the second generation of firewalls, calling them circuit-level gateways.

Second-generation firewalls perform the work of their first-generation predecessors but also maintain knowledge of specific conversations between endpoints by remembering which port number the two IP addresses are using at layer 4 (transport layer) of the OSI model for their conversation, allowin…

Read more on Wikipedia

At the core of a firewall's operation are the policies that govern its decision-making process. These policies, collectively known as firewall rules, are the specific guidelines that determine the traffic allowed or blocked across a network's boundaries.

Firewall rules are based on the evaluation of network packets against predetermined security criteria. A network packet, which carries data across networks, must match certain attributes defined in a rule to be allowed through the firewall. These attributes commonly include:
• Direction: Inbound or outbound traffic
• Source: Where the traffic originates (IP address, range, network, or zone)
• Destination: Where the traffic is headed (IP address, range, network, or zone)
• Port: Network ports specific to various services (e.g., port 80 for HTTP)
• Protocol: The type of network protocol (e.g., TCP, UDP, ICMP)
• Applications: L7 inspection or grouping av services.
• Action: Whether to allow, deny, drop, or require further inspection for the traffic
Zones are logical segments within a network that group together devices with similar security requirements. By partitioning a network into zones, such as "Technical", "WAN", "LAN", "Public," "Private," "DMZ", and "Wireless," administrators can enforce policies that control the flow of traffic between them. Each zone has its own level of trust and is governed by specific firewall rules that regulate the ingress and egress of data.

I typical default is to allow all traffic from LAN to WAN, and to drop all traffic from WAN to LAN.
In networking terms, services are specific functions typically identified by a network port and protocol. Common examples include HTTP/HTTPS (web traffic) on ports 80 and 443, FTP (file transfer) on port 21, and SMTP (email) on port 25. Services are the engines behind the applications users depend on. From a security aspect, controlling access to services is crucial because services are common targets for exploitation. Firewalls employ rules that stipulate which services should be accessible, to whom, and in what context. For example, a firewall might be configured to block incoming FTP requests to prevent unauthorized file uploads but allow outgoing HTTPS requests for web browsing.
Applications refer to the software systems that users interact with while on the network. They can range from web browsers and email clients to complex database systems and cloud-based services. In network security, applications are important because different types of traffic can pose varying security risks. Thus, firewall rules can be crafted to identify and control traffic based on the application generating or receiving it. By using application awareness, firewalls can allow, deny, or limit traffic for specific applications according to organizational policies and compliance requirements, thereby mitigating potential threats from vulnerable or undesired applications.

Application can both be a grouping of services, or a

Read more on Wikipedia

Traffic Logs:
• Description: Traffic logs record comprehensive details about data traversing the network. This includes source and destination IP addresses, port numbers, protocols used, and the action taken by the firewall (e.g., allow, drop, or reject).
• Significance: Essential for network administrators to analyze and understand the patterns of communication between devices, aiding in troubleshooting and optimizing network performance.
Threat Prevention Logs:
• Description: Logs specifically designed to capture information related to security threats. This encompasses alerts from intrusion prevention systems (IPS), antivirus events, anti-bot detections, and other threat-related data.
• Significance: Vital for identifying and responding to potential security breaches, helping security teams stay proactive in safeguarding the network.
Audit Logs:
• Description: Logs that record administrative actions and changes made to the firewall configuration. These logs are critical for tracking changes made by administrators for security and compliance purposes.
• Significance: Supports auditing and compliance efforts by providing a detailed history of administrative activities, aiding in investigations and ensuring adherence to security policies.
Event Logs:
• Description: General event logs that capture a wide range of events occurring on the firewall, helping administrators monitor and troubleshoot issues.
• Significance: Provides a holistic view of firewall activities, facilitating the identification and resolution of any anomalies or performance issues within the network infrastructure.
Session Logs:
• Description: Logs that provide information about established network sessions, including session start and end times, data transfer rates, and associated user or device information.
• Significance: Useful for monitoring network sessions in real-time, identifying abnormal activities, and optimizing network performance.
DDoS Mitigation Logs:
• Description: Logs that record events related to Distributed Denial of Service (DDoS) attacks, including mitigation actions taken by the firewall to protect the network.
• Significance: Critical for identifying and mitigating DDoS attacks promptly, safeguarding network resources and ensuring uninterrupted service availability.
Geo-location Logs:
• Description: Logs that capture information about the geographic locations of network connections. This can be useful for monitoring and controlling access based on geographical regions.
• Significance: Aids in enhancing security by detecting and preventing suspicious activities originating from specific geographic locations, contributing to a more robust defense against potential threats.

Read more on Wikipedia