Generation 1: Packet Filter Firewall
The original firewall type. Examines each packet independently at Layer 3 and Layer 4 — looking only at source IP, destination IP, source port, destination port, and protocol (TCP/UDP/ICMP). Rules like "block all traffic to TCP port 23 (Telnet)" or "allow traffic from 192.168.1.0/24 to any" are evaluated against each packet in isolation.
What it catches: IP/port-based access control. Blocks clearly forbidden traffic by address and port.
What it misses: Cannot distinguish between a legitimate TCP connection and a spoofed ACK packet. No awareness of connection state — an attacker can inject packets into a session or craft packets that bypass rules by using allowed port numbers for malicious payloads. No protocol or application understanding.
Generation 2: Stateful Packet Inspection (SPI)
Tracks the state of active connections in a state table. Rather than evaluating each packet in isolation, the firewall knows whether a packet belongs to an established, related, or new connection. A packet claiming to be a TCP ACK for a connection that doesn't exist in the state table is dropped.
What it catches: IP/port rules plus connection-state enforcement. Drops invalid TCP state (e.g., ACK before SYN). Implicitly blocks unsolicited inbound traffic (no matching state entry). This is the foundation of home router "SPI firewalls" and NAT.
What it misses: No application-layer awareness. Malicious payloads riding on allowed connections (HTTP on port 80, HTTPS on 443) pass through unexamined. Cannot distinguish valid HTTP from an HTTP-tunneled attack.
Generation 3: Application Proxy Firewall
Terminates connections at the firewall and acts as a proxy — fully parsing the application-layer protocol (HTTP, FTP, SMTP, DNS) before forwarding. The proxy understands the protocol structure and can enforce protocol-specific rules: allow only valid HTTP methods, block SMTP attachments over a size limit, validate DNS response structure.
What it catches: Protocol violations, application-layer attacks, and policy enforcement at the protocol level. An invalid HTTP request that would exploit a web server vulnerability is blocked at the proxy.
What it misses: High latency and CPU cost per connection. One proxy per protocol — comprehensive coverage requires many proxy services. Cannot inspect encrypted traffic without SSL interception.
Generation 4: Next-Generation Firewall (NGFW)
Combines stateful inspection with deep packet inspection (DPI), an integrated intrusion prevention system (IPS), application identification (regardless of port), TLS inspection, and identity-based policies. An NGFW can identify "this is Dropbox traffic on TCP 443" versus "this is general HTTPS" and apply different rules. It correlates application signatures, behavioral heuristics, and threat intelligence feeds to block known exploit patterns.
What it catches: Application identification and control, known exploit payloads, malware signatures in allowed traffic, encrypted threat detection (with TLS inspection), lateral movement patterns, and identity-based access (user-level, not just IP-level rules).
What it misses: Zero-day exploits without signatures. Encrypted malware that uses valid certificates and appears indistinguishable from legitimate traffic. Behavioral attacks that stay below detection thresholds. High cost and operational complexity — primarily enterprise deployments.
Host-Based vs Network Firewalls
All four types can be implemented as network firewalls (inline between network segments — a router, dedicated appliance, or cloud service) or host-based firewalls (software running on an individual device — Windows Defender Firewall, macOS Application Firewall, Linux iptables/nftables). Host-based firewalls provide per-device control and protect against lateral movement on the same network segment — an attacker already inside the network boundary still hits each device's host firewall.
Frequently Asked Questions
What type of firewall does a home router use?
Most home routers use stateful packet inspection (SPI) combined with NAT. NAT provides implicit inbound blocking — unsolicited inbound connections are dropped because no NAT translation entry exists. SPI tracks connection state to allow return traffic for outbound sessions. Consumer routers don't perform deep packet inspection unless they include explicit security subscription features.
What does a firewall not protect against?
Threats delivered over allowed traffic — malware in email attachments, malicious downloads over permitted HTTPS, application vulnerabilities in services the firewall permits, insider threats, and social engineering. A firewall is one defense layer, not a complete security solution.