Packet filtering is the firewall technique of examining the headers of network packets, specifically IP addresses, ports, and protocols, and then permitting or denying that traffic based on rules in an access control list (ACL).
Packet filtering is the core job a firewall does. Every piece of data crossing a network travels in packets, and each packet carries a header with details like its source and destination IP addresses, its source and destination ports, and the protocol it's using. A packet-filtering firewall reads those header fields and decides, rule by rule, whether to let the packet through or drop it.
There are two flavors. A stateless firewall filters purely on header info (EK 3.4.A.2). It looks at one packet at a time and asks "does this match a rule?" without remembering anything else. A stateful firewall, also called dynamic packet filtering (EK 3.4.A.3), does everything a stateless one does but also tracks the state of active connections. So it can tell the difference between a brand-new connection attempt and return traffic that belongs to a conversation you already started. That memory lets it write smarter rules.
This lives in Unit 3: Securing Networks, specifically Topic 3.4 (Protecting Networks: Firewalls). Packet filtering is the mechanism behind learning objective AP Cybersecurity 3.4.A (identifying firewall types) and AP Cybersecurity 3.4.B (how a firewall uses an ACL to allow or deny traffic). It also underpins 3.4.D, where you actually configure firewall rules. If you understand packet filtering, you understand what an ACL rule is really doing: checking a packet's header against criteria in order and acting on the first match (EK 3.4.B.2).
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryAccess Control List (ACL) (Unit 3)
Packet filtering is the action; the ACL is the rulebook it follows. Each ACL rule names a direction, a filter criterion like an IP or port, and an action (permit or deny). The firewall filters packets by walking that list top to bottom and executing the first matching rule.
Ports and Protocols (Unit 3)
Packet filtering can't happen without ports and protocols, because those are the header fields it reads. A rule like Allow inbound TCP port 22 from ALL works because port 22 maps to SSH. Knowing your common ports is what makes filtering rules make sense.
Deep Packet Inspection (Unit 3)
Basic packet filtering only reads headers, like checking the address on an envelope. Deep packet inspection opens the envelope and reads the contents, which is what lets a firewall catch things like a SQL injection hidden inside otherwise-normal traffic.
Firewall Placement (Unit 3)
Packet filtering only protects what it sits in front of. That's why each network segment and every ingress/egress point to the public internet should have a firewall (EK 3.4.C), so filtering happens at every boundary that matters.
Expect multiple-choice questions that describe a firewall behavior and ask you to name the type or technique. A stem that says the firewall "examines packet headers but also remembers which connections have been established" is pointing at stateful filtering (dynamic packet filtering). A stem about blocking traffic only after a connection attempt is also stateful. If the firewall is detecting a SQL injection inside the traffic, that's deep packet inspection, not basic packet filtering. For configuration questions, you'll read or write ACL rules like Deny inbound TCP port 80 from 192.168.1.0/24; and predict what they allow or block. No released FRQ has used "packet filtering" verbatim, but the rule-writing and firewall-placement skills it supports are squarely in the configuration objectives of Topic 3.4.
All firewalls in this topic do packet filtering, so the real distinction is stateless vs. stateful. A stateless firewall judges each packet alone using only header info. A stateful firewall (dynamic packet filtering) tracks connection state, so it can allow return traffic for a session you started while still blocking unsolicited new connections. If a question mentions "remembering" or "connection state," pick stateful.
Packet filtering means a firewall reads packet headers (IP addresses, ports, and protocols) to permit or deny traffic.
A stateless firewall filters one packet at a time using only header info, with no memory of past traffic.
A stateful firewall, also called dynamic packet filtering, adds memory by tracking connection state, so it can filter based on whether a connection was already established.
Firewalls apply packet filtering through ACL rules that are checked in order, and the first matching rule wins.
Basic packet filtering only sees headers; reading the actual payload is the job of deep packet inspection.
Packet filtering is when a firewall inspects the header fields of network packets, such as IP addresses, ports, and protocols, and decides to permit or deny each packet based on rules in an access control list. It's the basic function every firewall performs.
Not exactly. Stateful filtering is a more advanced kind of packet filtering, sometimes called dynamic packet filtering. It does the same header checks a stateless firewall does, but it also tracks the state of active connections, so it knows the difference between new traffic and return traffic from a session you already opened.
Packet filtering only looks at the header of a packet, like reading the address on an envelope. Deep packet inspection looks inside the payload, the actual contents, which is how a firewall can detect things like a SQL injection attack hidden in otherwise-allowed traffic.
Yes. Ports are one of the header fields a packet-filtering firewall reads, so you can write rules like Allow inbound TCP port 22 from ALL to permit SSH, or deny a port to block a service. Filtering by port, IP, protocol, service, or application is exactly what ACL rules do.
Pick the stateful firewall, also written as dynamic packet filtering. Any time a stem says the firewall "remembers" connections, allows "related" or "return" traffic, or acts only after a connection attempt, that's stateful behavior, not stateless.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.