---
title: "AP Cybersecurity Firewall and ACL Configuration Guide"
description: "Learn to read and configure firewall ACL rules for AP Cybersecurity: rule order, IPs, ports, protocols, allow/deny logic, and default deny."
canonical: "https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/firewall-acl-configuration-guide/study-guide/rPN9mXE24pKmdos8fyRn"
type: "study-guide"
subject: "AP Cybersecurity"
unit: "Cybersecurity Technical Skills"
lastUpdated: "2026-06-16"
---

# AP Cybersecurity Firewall and ACL Configuration Guide

## Summary

Learn to read and configure firewall ACL rules for AP Cybersecurity: rule order, IPs, ports, protocols, allow/deny logic, and default deny.

## Guide

[Firewalls](/ap-cybersecurity/key-terms/firewall "fv-autolink") show up across [Unit 3](/ap-cybersecurity/unit-3 "fv-autolink") (Securing Networks) and Unit 4 (Securing Devices), and they are almost guaranteed to appear in the free-response Device Security Analysis. This guide helps you read an access control list (ACL), figure out exactly which packets get allowed or denied, and write or modify rules that meet a scenario's specifications.

The goal is not to memorize firewall definitions. The goal is to trace a packet through a rule set and explain the effect of a configuration on traffic and users, which is exactly what the exam asks you to do.

## Where this shows up on the exam

In the multiple-choice section, you will see scenario-driven items built on technical artifacts, and firewall ACLs are specifically listed as one of those artifact types. Expect questions that hand you a short rule table and ask which traffic passes.

The free-response question, Device Security Analysis, can supply device firewall settings alongside logs and policies. That question assesses Skill Categories 2 ([Mitigate Risk](/ap-cybersecurity/cybersecurity-skills/mitigate-risk/study-guide/1e2jm2Ks2uN8D3sepFx5 "fv-autolink")) and 3 ([Detect Attacks](/ap-cybersecurity/cybersecurity-skills/detect-attacks/study-guide/k7DmYzrBX6GIIzRYjsuG "fv-autolink")), so you may need to evaluate a firewall control, describe how a rule change affects users, or write a corrected rule.

The relevant learning objectives are 3.4.B (explain how a firewall uses an ACL to allow or [deny](/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa "fv-autolink") traffic), 3.4.D (configure a firewall to manage traffic flow), and 4.3.D (configure a [host-based firewall](/ap-cybersecurity/key-terms/host-based-firewall "fv-autolink")). Keep your reasoning defensive: you are protecting assets, not attacking them.

## How a firewall reads an ACL

An ACL is an ordered list of rules. The firewall checks a packet against each rule from top to bottom and stops at the first match. This is the single most important idea, because the same rules in a different order can produce opposite results.

Each rule typically specifies these fields:

| Field | What it matches | Example |
|:--|:--|:--|
| Action | Allow or deny | `allow` |
| Protocol | TCP, UDP, ICMP | `tcp` |
| Source IP | Where the packet came from | `203.0.113.0/24` |
| Destination IP | Where the packet is headed | `10.0.1.10` |
| Destination port | The service being reached | `443` |
| Direction | Inbound or outbound | `inbound` |

[Port](/ap-cybersecurity/key-terms/port "fv-autolink") numbers map to services, so know the common ones: `443` for [HTTPS](/ap-cybersecurity/key-terms/https "fv-autolink"), `80` for HTTP, `22` for SSH, `53` for DNS, and `3306` for MySQL. A scenario that says "patients book appointments over a secure web connection" is pointing you at TCP `443`.

## Default deny

Most ACLs end with an implicit or explicit default deny rule. That means any packet not matched by an earlier allow rule is dropped. This is the safe [baseline](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX "fv-autolink"): you open only what you need and block everything else.

When you read a rule set, always ask what happens to traffic that matches no allow rule. If the answer is "it gets denied," the firewall is following default deny. If a broad allow sits at the bottom, the firewall is effectively permitting unexpected traffic, which is a finding worth flagging.

## Worked mini-example

Consider Scenario 3A, where Firewall A protects a public web server at `10.0.1.10`. You need external clients to reach the web app securely while blocking other traffic. Here is a clean rule set:

```
1  allow  tcp   any            10.0.1.10   443   inbound
2  deny   tcp   any            10.0.1.10   80    inbound
3  deny   tcp   any            10.0.1.10   22    inbound
4  deny   ip    any            any               inbound   (default deny)
```

Trace a packet from an external user to `10.0.1.10` on port `443`. It matches rule 1 and is allowed. Good, that is the patient booking traffic.

Now trace a packet to `10.0.1.10` on port `22` (an SSH attempt from the internet). It does not match rule 1, matches rule 3, and is denied. Remote administrative access from the outside is blocked, which is what you want for a public server.

For Firewall B, the requirement is that only internal employees reach patient records on the file server at `10.0.2.20`. The matching key is the source IP, restricting access to the internal [subnet](/ap-cybersecurity/key-terms/subnet "fv-autolink"):

```
1  allow  tcp   10.0.2.0/24    10.0.2.20   445   inbound
2  deny   ip    any            10.0.2.20         inbound
```

A packet from an internal host in `10.0.2.0/24` to the file server matches rule 1 and passes. A packet from an external address fails rule 1, hits rule 2, and is denied. The control enforces the "internal only" specification through the source IP field.

## A workflow for ACL questions

Use this order every time you face a rule set, whether on multiple choice or the FRQ.

1. Identify the packet in the question: its source IP, destination IP, [protocol](/ap-cybersecurity/key-terms/protocol "fv-autolink"), and [destination port](/ap-cybersecurity/key-terms/destination-port "fv-autolink").
2. Read rules top to bottom and stop at the first match.
3. Apply that rule's action. If no rule matches, apply the default deny.
4. Translate the result into plain language tied to the scenario, such as "the external user can reach the web app but cannot SSH into it."

When you are asked to write or modify a rule, name the exact fields. State the action, protocol, source, destination, port, and direction so there is no ambiguity. If the scenario wants secure web access only, write an allow for TCP `443` and rely on default deny for everything else rather than adding a broad allow.

## Evaluating a control, not just reading it

The exam often wants you to evaluate impact, which goes beyond "allowed or denied." Describe the tradeoff for both security and users.

For example, blocking inbound `22` on a public server reduces the attack surface for brute-force SSH login attempts, which protects the [asset](/ap-cybersecurity/key-terms/asset "fv-autolink"). The [cost](/ap-cybersecurity/unit-4/detecting-attacks-on-devices/study-guide/JpiXN2cti74uJERazuw3 "fv-autolink") is that administrators must connect through the internal network or a controlled path instead of straight from the internet. Naming both sides shows you understand the control's effect.

When a log file accompanies the firewall, connect them. If `/var/log/auth.log` shows repeated failed logins from an external IP and the ACL still allows that traffic, recommend a deny rule for that source or that port and explain that it would cut off the observed attempts.

## Common mistakes to avoid

Ignoring rule order is the most frequent error. A specific deny placed below a broad allow never fires, so the broad allow wins. Always check whether an earlier rule already matched.

Confusing source and destination flips the entire meaning of a rule. The source is where the packet starts; the destination is the server or host it is trying to reach. Restricting by source controls who can connect; restricting by destination controls what can be reached.

Forgetting default deny leads students to assume traffic is allowed when it actually drops. If a packet matches no allow rule, it is denied. Conversely, do not assume everything is blocked if a wide-open allow sits at the bottom.

Writing vague rules costs FRQ points. "Block bad traffic" is not a configuration. Specify the action, protocol, addresses, and port. Use the right port for the service named in the scenario, and match the direction (inbound versus outbound) to the traffic described.

Finally, do not overcorrect by denying needed traffic. If you block `443` on a web server to "be safe," patients can no longer book appointments. Tie every rule back to the specification so you allow what the scenario requires and deny the rest.

## FAQs

### How does rule order affect a firewall ACL?

A firewall checks a packet against ACL rules from top to bottom and stops at the first match, then applies that rule's action. This means a specific deny placed below a broad allow will never take effect, because the allow matches first. Always read rules in order and identify which one matches before deciding whether traffic is allowed or denied.

### What does default deny mean in a firewall configuration?

Default deny means any packet that does not match an earlier allow rule is dropped. It is the safe baseline: you open only the ports and sources you need and block everything else. On the exam, if a packet matches no allow rule, assume it is denied unless a broad allow rule sits at the bottom of the list.

### How do I write a firewall rule on the AP Cybersecurity free-response question?

Specify every field clearly: the action (allow or deny), protocol (TCP, UDP, ICMP), source IP, destination IP, destination port, and direction (inbound or outbound). Match the port to the service in the scenario, such as 443 for secure web traffic, and rely on default deny for everything else instead of adding a broad allow. Vague phrasing like 'block bad traffic' does not count as a configuration.

### What is the difference between source IP and destination IP in an ACL?

The source IP is where the packet originates, and the destination IP is the host or server it is trying to reach. Restricting by source controls who can connect, such as allowing only an internal subnet to reach a file server. Restricting by destination controls what can be reached. Confusing the two reverses the meaning of a rule, so check both fields carefully.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/firewall-acl-configuration-guide/study-guide/rPN9mXE24pKmdos8fyRn#how-does-rule-order-affect-a-firewall-acl","name":"How does rule order affect a firewall ACL?","acceptedAnswer":{"@type":"Answer","text":"A firewall checks a packet against ACL rules from top to bottom and stops at the first match, then applies that rule's action. This means a specific deny placed below a broad allow will never take effect, because the allow matches first. Always read rules in order and identify which one matches before deciding whether traffic is allowed or denied."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/firewall-acl-configuration-guide/study-guide/rPN9mXE24pKmdos8fyRn#what-does-default-deny-mean-in-a-firewall-configuration","name":"What does default deny mean in a firewall configuration?","acceptedAnswer":{"@type":"Answer","text":"Default deny means any packet that does not match an earlier allow rule is dropped. It is the safe baseline: you open only the ports and sources you need and block everything else. On the exam, if a packet matches no allow rule, assume it is denied unless a broad allow rule sits at the bottom of the list."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/firewall-acl-configuration-guide/study-guide/rPN9mXE24pKmdos8fyRn#how-do-i-write-a-firewall-rule-on-the-ap-cybersecurity-free-response-question","name":"How do I write a firewall rule on the AP Cybersecurity free-response question?","acceptedAnswer":{"@type":"Answer","text":"Specify every field clearly: the action (allow or deny), protocol (TCP, UDP, ICMP), source IP, destination IP, destination port, and direction (inbound or outbound). Match the port to the service in the scenario, such as 443 for secure web traffic, and rely on default deny for everything else instead of adding a broad allow. Vague phrasing like 'block bad traffic' does not count as a configuration."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-technical-skills/firewall-acl-configuration-guide/study-guide/rPN9mXE24pKmdos8fyRn#what-is-the-difference-between-source-ip-and-destination-ip-in-an-acl","name":"What is the difference between source IP and destination IP in an ACL?","acceptedAnswer":{"@type":"Answer","text":"The source IP is where the packet originates, and the destination IP is the host or server it is trying to reach. Restricting by source controls who can connect, such as allowing only an internal subnet to reach a file server. Restricting by destination controls what can be reached. Confusing the two reverses the meaning of a rule, so check both fields carefully."}}]}
```
