---
title: "AP Cybersecurity 3.4: Firewalls and ACL Rules Explained"
description: "Learn firewall types, access control lists, placement, and rule order for AP Cybersecurity Topic 3.4. Covers stateless, stateful, and next-generation firewalls."
canonical: "https://fiveable.me/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa"
type: "study-guide"
subject: "AP Cybersecurity"
unit: "Unit 3 – Securing Networks"
lastUpdated: "2026-06-18"
---

# AP Cybersecurity 3.4: Firewalls and ACL Rules Explained

## Summary

Learn firewall types, access control lists, placement, and rule order for AP Cybersecurity Topic 3.4. Covers stateless, stateful, and next-generation firewalls.

## Guide

## TLDR
A [firewall](/ap-cybersecurity/key-terms/firewall) allows or denies network traffic using a set of rules called an [access control list](/ap-cybersecurity/key-terms/access-control-list "fv-autolink") (ACL). For [AP Cybersecurity](/ap-cybersecurity "fv-autolink"), you need to know the three firewall types (stateless, stateful, and next-generation), how ACL rules are checked in order, where firewalls should be placed in a network, and how to write rules that allow or deny specific traffic.

## Why This Matters for the AP Cybersecurity Exam

Firewalls are one of the core defense tools in network security, so this topic connects directly to how defenders manage traffic between network segments and the public internet. You should be ready to identify firewall types by what they can inspect, explain how an ACL permits or denies traffic, decide where firewalls belong in a segmented network, and trace what a set of rules actually does to a given packet. The skill that ties it all together is reading and writing ACL rules and predicting their outcome, including spotting how rule order changes which traffic gets through.

## Key Takeaways

- A firewall is [software](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn "fv-autolink") that allows or denies traffic; it can run on its own device or be built into something like a router.
- Stateless firewalls check only packet headers, stateful firewalls track connection state, and next-generation firewalls add features like intrusion prevention, [deep packet inspection](/ap-cybersecurity/key-terms/deep-packet-inspection), and application filtering.
- An ACL rule specifies a direction (inbound or outbound), a filter criterion (IP, [port](/ap-cybersecurity/key-terms/port), service, or application), and an action (permit or deny).
- ACL rules are checked top to bottom, and the first matching rule wins, so order changes behavior.
- Every network segment and every point where the internal network meets the public internet should have a firewall, each tuned to its own security needs.
- Be able to trace a specific packet through a rule list and explain whether it is allowed or denied.

## Types of Network-Based Firewalls

A firewall is software that allows or denies network traffic going in or out of a network. The software can run on its own dedicated device or be built into another network device, like a router. Either way, the job is the same: filter traffic based on rules.

There are three main types you need to know, and they build on each other in how much they can see and [control](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink").

### Stateless Firewalls

A stateless firewall filters traffic by looking only at information in packet headers. That means it checks things like:

- Source IP address (where the packet came from)
- Destination IP address (where it is going)
- [Port](/ap-cybersecurity/key-terms/port "fv-autolink") numbers
- [Protocol](/ap-cybersecurity/key-terms/protocol) (TCP, UDP, ICMP, etc.)

Each packet is judged on its own. The firewall does not remember anything about packets that came before. It is fast and simple, but limited. If a packet's header matches an "allow" rule, it gets through, even if the packet does not belong to a real conversation the firewall is tracking.

### Stateful Firewalls

A stateful firewall, also called dynamic [packet filtering](/ap-cybersecurity/key-terms/packet-filtering), does everything a stateless firewall does plus tracks the state of network connections passing through it. In other words, it remembers conversations.

Here is why that matters. When your laptop opens a connection to a web server, there is a back and forth: your machine sends a request, the server responds, and more packets travel both ways. A stateful firewall keeps a table of active connections. If a packet shows up claiming to be a response to a connection that was never opened, the firewall blocks it. This catches attacks where someone tries to sneak in packets that look fine at the header level but do not belong to any real connection.

Stateful firewalls give you more control over what is actually allowed in and out, not just what individual packets look like.

### Next-Generation Firewalls (NGFW)

A next-generation firewall (NGFW) has everything stateless and stateful firewalls do, plus advanced features like:

- **Intrusion prevention**: actively blocking known attack patterns
- **[Deep packet inspection](/ap-cybersecurity/key-terms/deep-packet-inspection "fv-autolink")**: looking inside the packet's payload (the actual data), not just the header
- **Application-level filtering**: telling the difference between, say, regular web browsing and a file-sharing app using the same port

Because attackers have gotten good at hiding [malicious traffic](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97 "fv-autolink") inside what looks like normal web traffic, an NGFW can catch things a stateless firewall would miss by inspecting the application type and the payload, not just the header.

## Access Control Lists (ACLs)

A firewall is only as useful as the rules you give it. Those rules live in an [access control list (ACL)](/ap-cybersecurity/key-terms/access-control-list), which is the set of instructions the firewall checks every packet against. Network administrators create the ACL to permit or deny inbound and outbound traffic.

A typical ACL rule specifies three things:

1. **Direction**: is this for inbound or outbound traffic?
2. **Criteria**: what to filter by ([IP addresses](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX "fv-autolink"), logical ports, services, or applications)
3. **Action**: permit or deny

So a single rule answers: which direction, matching what, and do I let it through or block it?

### Rules Are Checked in Order

ACL rules are checked top to bottom, and the first rule that matches is the one that gets applied. After that match, the firewall stops checking. It does not keep going to see if a later rule says something different.

That means the order you write your rules in changes what your firewall actually does. A correct list of rules in the wrong order can [lock](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc "fv-autolink") out legitimate traffic or accidentally let attackers in.

## Where to Place Firewalls

You cannot just put one firewall at the edge of your network and call it done. Effective placement follows a few principles.

Every segment of the network should have its own firewall. If you split your network into segments (say, one for finance, one for guest Wi-Fi, one for servers), each one needs a firewall controlling what flows in and out of it. That way, if an attacker compromises the guest Wi-Fi, they cannot easily move into the finance segment.

Different segments have different security needs. A segment holding patient health records needs much tighter rules than a segment for the break room printer. Because firewalls can be configured independently, you can set the strictness of each one based on what it is protecting.

Every ingress and egress point with the public internet needs a firewall. Ingress means traffic coming in, and egress means traffic going out. Anywhere your internal network touches the public internet is a place an attacker could try to get in or where data could leak out. Each of those connection points needs a firewall standing guard.

In practice, this means a network might have a firewall at the internet boundary plus additional firewalls between sensitive internal segments.

## Configuring a Firewall

Configuring a firewall starts with figuring out what traffic you want to allow or deny, then writing ACL rules that match.

### Writing Rules

Rules can filter based on:

- Source or destination IP address
- Source or [destination port](/ap-cybersecurity/key-terms/destination-port)
- Service (like HTTP, [HTTPS](/ap-cybersecurity/key-terms/https "fv-autolink"), SSH)
- [Protocol](/ap-cybersecurity/key-terms/protocol "fv-autolink") (TCP, UDP, ICMP)
- Application (with NGFWs)

Here are two example rules using a syntax style like the one used in the course materials:

```
Allow inbound TCP port 22 from ALL;
```

This rule allows all inbound TCP traffic with [destination port](/ap-cybersecurity/key-terms/destination-port "fv-autolink") 22. Port 22 is the standard port for SSH (Secure Shell), which admins use to remotely log into machines. So this rule says "anyone can try to SSH into this network."

```
Deny inbound TCP port 80 from 192.168.1.0/24;
```

This one denies inbound TCP traffic to port 80 (the standard HTTP port) coming from any IP address in the range 192.168.1.0 through 192.168.1.255. The `/24` at the end is CIDR notation that defines that range of 256 addresses.

### Order Matters (a Lot)

Remember that rules are checked top to bottom and the first match wins. Look at this set:

```
Rule 1: ALLOW inbound TCP port 22 from ALL;
Rule 2: DENY inbound TCP ALL from ALL;
```

What this does:

- An incoming SSH packet (TCP port 22) hits Rule 1, matches, and is allowed. Done.
- An incoming packet on TCP port 80 (web traffic) hits Rule 1, does not match, moves to Rule 2, matches, and is denied.

So this setup allows SSH and blocks everything else over TCP. Exactly what you want if SSH is the only service you are exposing.

Now flip them:

```
Rule 1: DENY inbound TCP ALL from ALL;
Rule 2: ALLOW inbound TCP port 22 from ALL;
```

Now an incoming SSH packet hits Rule 1, matches (because Rule 1 covers all TCP traffic), and is denied. Rule 2 never gets checked. The result: SSH is blocked along with everything else. Rule 2 might as well not exist.

This is why precedence matters so much when you write ACLs. A common approach is to put your more specific "allow" rules first, then your broader "deny" rules later as catch-alls:

1. Allow the specific services you need
2. Deny everything else with a final blanket rule

### A Slightly Bigger Example

Say you are configuring the firewall for a small web server that should accept normal web traffic from anyone but only allow SSH from your office network at 203.0.113.0/24. Outbound, anything goes.

```
Rule 1: ALLOW inbound TCP port 443 from ALL;
Rule 2: ALLOW inbound TCP port 80 from ALL;
Rule 3: ALLOW inbound TCP port 22 from 203.0.113.0/24;
Rule 4: DENY inbound TCP ALL from ALL;
Rule 5: ALLOW outbound TCP ALL from ALL;
```

Walking through it: HTTPS (port 443) and HTTP (port 80) are open to the world for web traffic. SSH (port 22) is open, but only if the source IP is in your office's range. Anything else inbound gets caught by Rule 4 and dropped. Outbound traffic is unrestricted.

If you accidentally put Rule 4 above Rule 3, your office would lose SSH access to your own server. Same rules, different order, completely different outcome.

### Stateless vs Stateful in Configuration

When you write rules on a stateless firewall, you usually need rules for both directions of a conversation, because the firewall does not remember that a connection was started. On a stateful firewall, you can write a rule that allows the initial outbound connection, and the firewall automatically allows the return traffic for that specific connection. That is a big reason stateful firewalls are easier to manage for anything beyond the simplest networks.

## How to Use This on the AP Cybersecurity Exam

### Identify and Compare Firewall Types

Match each firewall type to what it can inspect. Stateless looks at headers only. Stateful adds connection tracking. NGFW adds intrusion prevention, deep packet inspection, and application filtering. If a question describes a firewall blocking a packet that pretends to be part of a connection that was never opened, that points to a stateful firewall. If it describes inspecting the payload or filtering by application, that points to an NGFW.

### Code Tracing for ACL Rules

The most important skill here is tracing a packet through a rule list. For each rule, ask: does this packet's direction, criteria, and action match? The first rule that matches wins, and checking stops there. Practice by picking a specific packet (direction, protocol, port, source IP) and walking it down the list until it hits a match.

### Spot the Ordering Trap

Watch for rule sets where a broad deny rule sits above a specific allow rule. If the broad rule matches first, the specific rule below it never runs. When a question asks what traffic is permitted or how to fix a rule set, check whether reordering would change the result.

### Reason About Placement

If a question describes a segmented network, expect firewalls at each segment boundary and at every point where the internal network meets the public internet, with strictness tuned to what each segment protects.

## Common Misconceptions

- **A firewall is always a separate physical box.** A firewall is software. It can run on a dedicated device or be built into another device like a router.
- **A stateful firewall replaces stateless filtering.** A stateful firewall does everything a stateless one does and adds connection tracking on top. It does not drop header filtering.
- **All firewalls can inspect the contents of a packet.** Only deep packet inspection, a next-generation feature, looks inside the payload. Stateless and basic stateful filtering work mainly with header information.
- **All rules in an ACL get evaluated.** The firewall stops at the first matching rule. Later rules are never reached for that packet once a match is found.
- **Rule order does not matter as long as the rules are correct.** Order changes behavior. The same set of rules can allow or block the same traffic depending on the sequence.
- **One firewall at the network edge is enough.** Effective designs place firewalls at each segment and at every internal-to-internet connection point, not just the outer boundary.

## Related AP Cybersecurity Guides

- [3.3 Protecting Networks: Segmentation](/ap-cybersecurity/unit-3/protecting-networks-segmentation/study-guide/aN5LZLgHojJwIT4AvjWS)
- [3.2 Protecting Networks: Managerial Controls and Wireless Security](/ap-cybersecurity/unit-3/protecting-networks-managerial-controls-and-wireless-security/study-guide/aihx7DE7KUuSOsZ3dgwk)
- [3.1 Network Vulnerabilities and Attacks](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97)
- [3.5 Detecting Network Attacks](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX)

## Vocabulary

- **IP address**: A unique numerical identifier assigned to a device on a network, used to track the source of login attempts and network activity.
- **Secure Shell**: Secure Shell; a network protocol that provides secure remote access to a device, typically using port 22.
- **Transmission Control Protocol**: Transmission Control Protocol; a reliable, connection-oriented network protocol that ensures data is delivered in order.
- **access control list**: A set of rules created by network administrators that a firewall uses to permit or deny inbound and outbound network traffic based on specified criteria.
- **application-type filtering**: A firewall capability that filters network traffic based on the type of application generating or receiving the traffic.
- **connection state**: The status and context of an active network connection being tracked by a firewall.
- **data egress**: The exit point where data flows out of a network to external destinations such as the public internet.
- **data ingress**: The entry point where data flows into a network from external sources such as the public internet.
- **deep packet inspection**: A technique that examines the full content of data packets, not just headers, to identify and filter specific types of traffic.
- **deny**: An ACL action that blocks specified network traffic from entering or leaving a network.
- **destination IP address**: The IP address of the device or network that is the intended recipient of network traffic.
- **dynamic packet filtering**: A firewall technique that monitors and filters network traffic based on the state and context of active connections.
- **firewall**: A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
- **firewall rules**: Specific configurations that define which network traffic should be allowed or denied based on criteria such as source, destination, port, protocol, or application.
- **inbound traffic**: Network data entering a network from external sources.
- **internal network**: The private network infrastructure within an organization that is protected from direct access by the public internet.
- **intrusion prevention**: A security feature that detects and blocks malicious network traffic and attacks in real-time.
- **network segment**: A distinct portion of a network that can be independently secured and monitored with its own firewall.
- **network traffic**: The flow of data packets between devices on a network, including both inbound and outbound communications.
- **next-generation firewall**: An advanced firewall with capabilities of stateless and stateful firewalls plus additional features such as intrusion prevention, deep packet inspection, and application-type filtering.
- **outbound traffic**: Network data leaving a network toward external destinations.
- **packet headers**: The portion of a data packet containing metadata such as IP addresses, ports, and protocols.
- **permit**: An ACL action that allows specified network traffic to enter or leave a network.
- **port**: A logical endpoint for network communication identified by a number, used to direct traffic to specific services or applications.
- **protocol**: A set of rules governing how data is transmitted and received over a network.
- **public internet**: The global, publicly accessible network infrastructure outside of an organization's internal network.
- **rule precedence**: The order in which firewall rules are evaluated and applied, which determines which traffic is allowed or denied when multiple rules could apply.
- **source IP address**: The IP address of the device or network sending network traffic.
- **stateful firewall**: A firewall that tracks the state of network connections passing through it and filters traffic based on connection-related rules in addition to packet header information.
- **stateless firewall**: A firewall that filters network traffic based on information in packet headers, such as IP addresses, ports, and protocols, without tracking connection states.

## FAQs

### What is the difference between a stateless and stateful firewall in AP Cybersecurity?

A stateless firewall filters traffic by looking only at packet header information like IP addresses, ports, and protocols, judging each packet independently. A stateful firewall does all of that plus tracks the state of active network connections, so it can block packets that do not belong to a legitimate conversation. This connection tracking gives stateful firewalls more control over what is actually allowed in or out of a network.

### How does ACL rule order affect what traffic a firewall allows or denies?

ACL rules are checked from top to bottom, and the first rule that matches a packet is the one that gets applied - the firewall stops checking after that match. This means placing a broad deny rule above a specific allow rule will block the traffic the allow rule was meant to permit, because the deny rule matches first. Changing the order of rules can completely change which traffic gets through, even if the individual rules stay the same.

### What does a next-generation firewall (NGFW) do that a regular firewall cannot?

A next-generation firewall includes everything a stateless and stateful firewall can do, plus advanced features like intrusion prevention, deep packet inspection, and filtering by application type. Deep packet inspection lets it examine the actual payload of a packet, not just the header, which helps catch malicious traffic hidden inside what looks like normal web traffic. Application-level filtering means it can distinguish between different apps even when they use the same port.

### Where should firewalls be placed in a network for AP Cybersecurity?

Every segment of a network should have its own firewall to control traffic flowing in and out of that segment, since different segments can have different security needs and each firewall can be configured independently. Additionally, every point where the internal network connects to the public internet - both ingress and egress - must have a firewall. This means a network may have multiple firewalls: one at the internet boundary and additional ones between internal segments.

### What does an ACL rule include and how does a firewall use it?

An access control list (ACL) is a set of rules that a network administrator creates to tell the firewall which traffic to permit or deny. Each rule specifies the direction of traffic (inbound or outbound), the criteria to filter by (such as IP address, port, service, or application), and the action to take (permit or deny). The firewall checks each packet against the ACL rules in order and applies the first rule that matches.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa#what-is-the-difference-between-a-stateless-and-stateful-firewall-in-ap-cybersecurity","name":"What is the difference between a stateless and stateful firewall in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"A stateless firewall filters traffic by looking only at packet header information like IP addresses, ports, and protocols, judging each packet independently. A stateful firewall does all of that plus tracks the state of active network connections, so it can block packets that do not belong to a legitimate conversation. This connection tracking gives stateful firewalls more control over what is actually allowed in or out of a network."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa#how-does-acl-rule-order-affect-what-traffic-a-firewall-allows-or-denies","name":"How does ACL rule order affect what traffic a firewall allows or denies?","acceptedAnswer":{"@type":"Answer","text":"ACL rules are checked from top to bottom, and the first rule that matches a packet is the one that gets applied - the firewall stops checking after that match. This means placing a broad deny rule above a specific allow rule will block the traffic the allow rule was meant to permit, because the deny rule matches first. Changing the order of rules can completely change which traffic gets through, even if the individual rules stay the same."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa#what-does-a-next-generation-firewall-ngfw-do-that-a-regular-firewall-cannot","name":"What does a next-generation firewall (NGFW) do that a regular firewall cannot?","acceptedAnswer":{"@type":"Answer","text":"A next-generation firewall includes everything a stateless and stateful firewall can do, plus advanced features like intrusion prevention, deep packet inspection, and filtering by application type. Deep packet inspection lets it examine the actual payload of a packet, not just the header, which helps catch malicious traffic hidden inside what looks like normal web traffic. Application-level filtering means it can distinguish between different apps even when they use the same port."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa#where-should-firewalls-be-placed-in-a-network-for-ap-cybersecurity","name":"Where should firewalls be placed in a network for AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"Every segment of a network should have its own firewall to control traffic flowing in and out of that segment, since different segments can have different security needs and each firewall can be configured independently. Additionally, every point where the internal network connects to the public internet - both ingress and egress - must have a firewall. This means a network may have multiple firewalls: one at the internet boundary and additional ones between internal segments."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa#what-does-an-acl-rule-include-and-how-does-a-firewall-use-it","name":"What does an ACL rule include and how does a firewall use it?","acceptedAnswer":{"@type":"Answer","text":"An access control list (ACL) is a set of rules that a network administrator creates to tell the firewall which traffic to permit or deny. Each rule specifies the direction of traffic (inbound or outbound), the criteria to filter by (such as IP address, port, service, or application), and the action to take (permit or deny). The firewall checks each packet against the ACL rules in order and applies the first rule that matches."}}]}
```
