Skip to content

Rules Based vs. Policy Based Firewalls


Rules based firewall systems use rules to control communication between hosts inside and outside the firewall. These rules are a single line of text information containing network addresses and virtual port numbers of services that are permitted or denied. These rules are stored together in one or more text files which are read when the firewall starts up. Rules based systems are static in that they cannot do anything they haven't been expressly configured to do. There must be a line in one of their configuration files somewhere that tells them exactly what to do with each packet that flows through the device. This makes the system more straight-forward to configure, but less flexible and less adaptive to changing circumstances.


Policy-based systems are more flexible than rules based systems. They allow the administrator to define conditions under which general types of communication are permitted, as well as specifying what functions and services will be performed to provide that communication. A policy-based system can dynamically set up permitted communication to random IP addresses. Any system that supports IPsec Authentication Header and Encapsulating Security Payload is considered a policy based system.

Share This:

If you found this tutorial useful, please DONATE! Donations support the creation and maintenance of this, and other tutorials throughout this site.