Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Security+ Firewalls Deep Dive - Stateless, Stateful, WAF, NGFW
Source: https://www.fatskills.com/comptia-security-/chapter/tech-comptia-security-firewalls-deep-dive-stateless-stateful-waf-ngfw

CompTIA Security+ Firewalls Deep Dive - Stateless, Stateful, WAF, NGFW

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~9 min read

CompTIA Security+ Firewalls Deep Dive: Stateless, Stateful, WAF, NGFW

Zero-fluff, hyper-practical guide for real-world deployments and exam prep

1. What This Is & Why It Matters

Firewalls are the first line of defense in network security—they decide what traffic gets in (or out) of your systems. In CompTIA Security+, you’ll be tested on four firewall types: - Stateless firewalls (packet filters) - Stateful firewalls (connection-aware) - Web Application Firewalls (WAFs) (Layer 7 protection) - Next-Gen Firewalls (NGFWs) (deep packet inspection + extras)

Why this matters in production: - Stateless firewalls are fast but dumb—they block/allow traffic based on static rules (e.g., "Block all TCP port 22"). If you misconfigure them, you either expose services or break legitimate traffic. - Stateful firewalls remember connections (e.g., "Allow return traffic for an outbound SSH session"). If you don’t use them, you’ll either: - Over-permit (allowing malicious traffic to sneak in as "return traffic"), or - Over-restrict (breaking apps that need bidirectional communication). - WAFs stop Layer 7 attacks (SQLi, XSS, CSRF). Without one, your web apps are sitting ducks for automated bots and script kiddies. - NGFWs combine stateful inspection with intrusion prevention (IPS), app awareness, and SSL decryption. If you’re not using one, you’re blind to encrypted threats (e.g., malware hiding in HTTPS).

Real-world scenario: You’re a sysadmin at a healthcare company. Your legacy app runs on an old Linux server with a stateless firewall. A pentest reveals that attackers can spoof return traffic to bypass your rules. You need to upgrade to a stateful firewall (or NGFW) to close this gap—without breaking the app’s database connections.

2. Core Concepts & Components

Term Definition Production Insight
Stateless Firewall Filters traffic based on static rules (source/dest IP, port, protocol). No memory of past packets. Easy to misconfigure—if you forget to allow return traffic, apps break. Use only for simple, high-speed filtering (e.g., edge routers).
Stateful Firewall Tracks connection state (e.g., "This TCP packet is part of an established SSH session"). ? Default choice for most networks—balances security and usability. If you’re not using one, you’re doing it wrong.
WAF (Web App Firewall) Protects Layer 7 (HTTP/HTTPS) from attacks like SQLi, XSS, and CSRF. ? Non-negotiable for web apps—OWASP Top 10 attacks are blocked here. Deploy in front of every public-facing web server.
NGFW (Next-Gen Firewall) Stateful firewall + IPS, app awareness, SSL decryption, and sandboxing. ? Expensive but worth it—if you’re handling sensitive data (PCI, HIPAA), you need an NGFW. Examples: Palo Alto, FortiGate, Cisco Firepower.
Implicit Deny Default rule: "Deny all traffic not explicitly allowed." Always enable this—if you don’t, your firewall is just a fancy router.
ACL (Access Control List) List of rules defining what traffic is allowed/denied. ? Order matters—firewalls process rules top-down. Put deny rules first, then allows.
Deep Packet Inspection (DPI) Inspects packet payloads (not just headers) for malicious content. ? NGFWs use DPI—without it, malware in HTTPS traffic slips through.
Proxy Firewall Acts as a middleman—clients connect to the proxy, which forwards requests. Hides internal IPs—useful for DMZs. Slower than stateful firewalls.

3. Step-by-Step Hands-On: Deploy a Stateful Firewall (Linux iptables)

Prerequisites: - A Linux VM (Ubuntu 22.04 LTS recommended). - sudo access. - Basic familiarity with iptables (we’ll walk through it).

Goal: Configure a stateful firewall that:
1. Allows SSH (port 22) from your IP only.
2. Allows HTTP/HTTPS (ports 80/443) from anywhere.
3. Allows return traffic for established connections.
4. Drops everything else.

Step 1: Check Current Firewall Rules

sudo iptables -L -v -n
  • -L = List rules
  • -v = Verbose (shows packet/byte counts)
  • -n = No DNS resolution (faster)

Expected output:

Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

Default policy is ACCEPT—this is dangerous. We’ll fix it.

Step 2: Flush Existing Rules (Start Fresh)

sudo iptables -F        # Flush all rules
sudo iptables -X        # Delete all custom chains
sudo iptables -Z        # Zero all packet/byte counters

Step 3: Set Default Policies to DROP (Implicit Deny)

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
  • -P = Set default policy.
  • Why? If no rules match, traffic is dropped.

Warning: If you’re connected via SSH, don’t close your terminal—you’ll lock yourself out!

Step 4: Allow Loopback Traffic (Critical for Local Services)

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
  • -i lo = Input interface is loopback (127.0.0.1).
  • -o lo = Output interface is loopback.

Why? Many services (e.g., databases, Docker) rely on loopback.

Step 5: Allow Established/Related Connections (Stateful Rule)

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
  • -m conntrack = Use connection tracking module.
  • --ctstate ESTABLISHED,RELATED = Allow return traffic for existing connections.

Why? Without this, return traffic (e.g., HTTP responses) gets dropped.

Step 6: Allow SSH (Port 22) from Your IP Only

sudo iptables -A INPUT -p tcp --dport 22 -s YOUR_IP_HERE -j ACCEPT
  • -p tcp = TCP protocol.
  • --dport 22 = Destination port 22 (SSH).
  • -s YOUR_IP_HERE = Replace with your public IP (e.g., 123.45.67.89).

Why? Restricting SSH to your IP blocks brute-force attacks.

Step 7: Allow HTTP/HTTPS (Ports 80/443)

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • No -s flag = Allow from any IP.

Why? Web servers need to accept traffic from the internet.

Step 8: Allow Outbound Traffic (DNS, Updates, etc.)

sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT    # DNS (TCP)
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT    # DNS (UDP)
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT    # HTTP
sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT   # HTTPS

Why? Your server needs to resolve DNS, download updates, and fetch dependencies.

Step 9: Save Rules (So They Persist After Reboot)

sudo apt install iptables-persistent -y
sudo netfilter-persistent save
  • Ubuntu/Debian: iptables-persistent
  • RHEL/CentOS: service iptables save

Why? Without saving, rules disappear on reboot.

Step 10: Verify Rules

sudo iptables -L -v -n

Expected output (simplified):

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            127.0.0.1
ACCEPT     tcp  --  YOUR_IP_HERE         0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
ACCEPT     all  --  127.0.0.1            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Test connectivity: - SSH into the server (should work). - Run curl google.com (should work). - Try nc -zv 127.0.0.1 22 (should fail—SSH is restricted to your IP).

4.-Production-Ready Best Practices

Security

  • Least privilege: Only allow necessary ports/IPs. Example: If your app only needs port 443, don’t open 80.
  • Change default ports: Move SSH from 22-2222 to reduce brute-force attacks.
  • Rate limiting: Use iptables to limit connections (e.g., sudo iptables -A INPUT -p tcp --dport 22 -m connlimit --connlimit-above 3 -j DROP).
  • Log dropped packets: sudo iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROP: " --log-level 4 (check /var/log/syslog).

Cost Optimization

  • Stateless firewalls are cheaper (but less secure). Use them only for edge filtering (e.g., cloud provider ACLs).
  • NGFWs are expensive—deploy them only where needed (e.g., PCI DSS compliance zones).
  • Cloud WAFs (AWS WAF, Cloudflare) are pay-as-you-go—cheaper than on-prem for small apps.

Reliability & Maintainability

  • Document rules: Use comments (sudo iptables -A INPUT -p tcp --dport 22 -m comment --comment "Allow SSH for admin" -j ACCEPT).
  • Test rules in a staging environment before applying to production.
  • Use configuration management (Ansible, Terraform) to deploy firewall rules.

Observability

  • Monitor dropped packets: Set up alerts for iptables -L -v -n | grep DROP.
  • Log allowed traffic: sudo iptables -A INPUT -j LOG --log-prefix "IPTABLES-ALLOW: ".
  • Cloud providers: Use AWS Network Firewall, Azure Firewall, or GCP Firewall Rules with logging enabled.

5. Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Forgetting return traffic rules Apps work one-way (e.g., HTTP requests go out, but responses are dropped). Always add ESTABLISHED,RELATED rules for stateful firewalls.
Allowing "ANY" in rules Firewall allows all traffic from any IP (e.g., -s 0.0.0.0/0). Be specific—only allow known IPs/ports.
Not saving rules Firewall resets after reboot. Use iptables-persistent (Linux) or cloud provider tools (AWS Security Groups).
Blocking loopback (127.0.0.1) Local services (e.g., databases) fail. Always allow lo interface (-i lo).
Overly permissive outbound rules Malware can phone home (e.g., C2 traffic). Restrict outbound traffic to only necessary ports (e.g., 443, 53).

6.-Exam/Certification Focus (CompTIA Security+)

Key Question Patterns

  1. "Which firewall type tracks connection state?"
  2. ? Stateful firewall (remembers established connections).

  3. Stateless (no memory), WAF (Layer 7 only), NGFW (does more than just stateful).

  4. "You need to block SQL injection attacks. Which firewall do you use?"

  5. ? WAF (Layer 7 protection).

  6. Stateful (only tracks connections), Stateless (no payload inspection).

  7. "What’s the default rule for a secure firewall?"

  8. ? Implicit deny (drop all traffic not explicitly allowed).

  9. Implicit allow (dangerous).

  10. "Which firewall performs deep packet inspection (DPI)?"

  11. ? NGFW (combines stateful + DPI + IPS).
  12. ? Stateful (only tracks connections).

Trap Distinctions

Concept Security+ Trap
Stateless vs. Stateful Stateless = no memory, Stateful = remembers connections.
WAF vs. NGFW WAF = Layer 7 (HTTP), NGFW = Layer 3-7 + IPS + DPI.
Implicit Deny Default deny is secure; default allow is a common exam distractor.
ACL Order Rules are processed top-down—put deny rules first.

Scenario-Based Question

"Your company’s web app is under DDoS attack. Which firewall should you deploy to mitigate Layer 7 attacks?" --WAF (blocks HTTP floods, SQLi, XSS). --Stateful (won’t stop Layer 7 attacks), Stateless (too basic), NGFW (overkill if you only need WAF).

7.-Hands-On Challenge (With Solution)

Challenge: You’re managing a Linux server with iptables. A pentest reveals that attackers can spoof return traffic to bypass your stateless rules. How do you fix this?

Solution:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Why it works: - Stateful tracking ensures only legitimate return traffic is allowed. - Without this, attackers can craft packets with spoofed source IPs to bypass rules.

8.-Rapid-Reference Crib Sheet

Command/Concept Usage
iptables -L -v -n List all rules (verbose, no DNS resolution).
iptables -F Flush all rules.
iptables -P INPUT DROP Set default policy to DROP (secure).
iptables -A INPUT -p tcp --dport 22 -j ACCEPT Allow SSH (port 22).
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Allow return traffic.
iptables -A INPUT -j LOG --log-prefix "DROP: " Log dropped packets.
sudo netfilter-persistent save Save iptables rules (Ubuntu/Debian).
Stateless Firewall Fast, but no connection tracking (e.g., AWS NACLs).
Stateful Firewall Remembers connections (e.g., iptables, AWS Security Groups).
WAF Blocks Layer 7 attacks (SQLi, XSS).
NGFW Stateful + DPI + IPS + app awareness (e.g., Palo Alto).
Implicit Deny Default rule should be DROP (not ACCEPT).
ACL Order Processed top-down—put deny rules first.

9.-Where to Go Next

  1. Linux iptables Tutorial (DigitalOcean)
  2. AWS WAF Documentation
  3. NGFW Buyer’s Guide (Palo Alto)
  4. [Comp

⚡ Recently practiced quizzes in this class
SY0-501 CompTIA Security+ Certification Exam SY0-501 CompTIA Security+ Certification Exam - Practice Test 2 SY0-401 Exam: CompTIA Security+ CS0-001 Exam: CompTIA Cybersecurity Analyst (CySA+)

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.