Skip to content

Firewalls — Trivia & Interesting Facts

Surprising, historical, and little-known facts about firewall technology and operations.

The first commercial firewall was sold by DEC in 1992

Digital Equipment Corporation shipped the DEC SEAL (Screened External Access Link) firewall product in 1992, based on research by Bill Cheswick and Steve Bellovin at AT&T Bell Labs. But the conceptual work started even earlier — the term "firewall" in a networking context was first used in the 1988 Morris Worm postmortem, when people realized that unfiltered Internet connectivity was a terrible idea.

Stateful inspection was invented by Check Point in 1994

Before Check Point's FireWall-1, firewalls were either simple packet filters (match on source/destination IP and port) or application-level proxies (slow, limited protocol support). Check Point's "stateful inspection" engine tracked connection state, allowing it to make decisions based on the full context of a TCP session. Gil Shwed, Check Point's founder, patented the technique at age 25, and it remains the foundation of most firewalls today.

iptables was the Linux firewall for 20 years before nftables replaced it

iptables was introduced in Linux 2.4 (2001) and became the most widely deployed firewall in history simply because it came with every Linux installation. Its replacement, nftables, was merged into the kernel in 2014, but iptables remains in widespread use. The iptables-nft compatibility layer translates iptables rules to nftables bytecode, meaning many systems running "iptables" are actually running nftables underneath without the operator knowing.

The default "deny all" policy was not always obvious

Early packet filters defaulted to "allow all" — you had to explicitly block bad traffic. This "default permit" philosophy was gradually abandoned in favor of "default deny" (block everything, then allow specific traffic) after repeated breaches in the late 1990s. The shift from allowlisting to denylisting was one of the most significant philosophical changes in network security history.

Firewall rule order matters more than most engineers realize

Firewalls evaluate rules top-to-bottom and stop at the first match. On a firewall with 10,000 rules (common in large enterprises), a broadly matching rule near the top can silently override hundreds of specific rules below it. Conversely, the most frequently matched rules should be near the top for performance — a rule at position 9,000 means every packet traverses 8,999 non-matching rules first.

The Cisco PIX used a "security level" model unique in firewall history

The Cisco PIX firewall (and later ASA) assigned security levels 0-100 to interfaces, where higher-security interfaces could initiate connections to lower-security interfaces by default. This model — where traffic flow was determined by a single number rather than explicit rules — was intuitive for simple setups but created bizarre edge cases in complex topologies. The "same-security-traffic permit" command exists because the default behavior of blocking traffic between equal-level interfaces confused nearly everyone.

Next-generation firewalls identify applications, not just ports

Palo Alto Networks introduced the "next-generation firewall" (NGFW) concept around 2007, with deep packet inspection that could identify applications regardless of port. Before NGFWs, allowing TCP port 443 meant allowing HTTPS, but also any other protocol tunneled over 443 — including VPNs, proxied traffic, and malware C2 channels. The ability to distinguish "Facebook over 443" from "legitimate HTTPS API traffic over 443" was revolutionary.

AWS Security Groups are stateful firewalls that most people don't think of as firewalls

AWS Security Groups are full stateful firewalls — they track connection state and automatically allow return traffic. They are evaluated differently from Network ACLs, which are stateless. The combination of Security Groups (stateful, instance-level) and NACLs (stateless, subnet-level) in AWS mirrors the classic host-firewall + perimeter-firewall architecture, but many cloud engineers don't recognize this parallel.

Zone-based firewalls were invented because interface-based rules didn't scale

The concept of firewall "zones" (grouping interfaces into trust levels and defining policies between zones) was popularized by Juniper's ScreenOS in the early 2000s. Before zones, you had to write rules per-interface-pair, which grew quadratically with the number of interfaces. Zones reduced this to a manageable number of zone-to-zone policies, and the concept was adopted by virtually every enterprise firewall vendor.

Firewall state table exhaustion is a denial-of-service vector

Stateful firewalls maintain a connection table entry for every active session. A SYN flood or slowloris attack can fill this table, causing the firewall to drop legitimate new connections. The maximum connection table size on a firewall is often the real capacity limit, not the throughput in Gbps. Firewalls have been brought to their knees by 50,000 connections/second even when they advertise multi-gigabit throughput.