Firewalls/OSI Model Layer
Circuit-Level Gateway Firewall OSI Layer
Layer 5
Application-level firewalls OSI Layer
Layer 7
Packet filter firewalls OSI Layer
Layers 3 and 4
Stateful firewalls OSI Layer
Layers 3 and 4
Packet filter firewalls
These type of firewalls operate at Layer 3 and Layer 4 of the OSI model, which are the Network and Transport layers, respectively. They are simple in that it makes filtering decisions based on the header information of each packet. As a result, packet filter firewalls are not particularly flexible. For example, if you want to configure traffic on a port to flow inbound as well as outbound, you must open up the port in both directions. However, doing so might expose the internal network to undesirable inbound traffic on that port.
Stateful firewalls
These types of firewalls also operate at Layer 3 and Layer 4 of the OSI model. Unlike packet filtering firewalls, these firewalls make filtering decisions based on previous packets that have been sent. For example, if an outbound session is initiated, a this firewall can dynamically allow the return traffic in the inbound direction by creating an entry in the firewall's state table. Inbound traffic from other sources will be blocked unless there is a corresponding outbound session listed in the state table. As a result, these firewalls are more secure than packet filter firewalls.
Application-level firewalls
These types of firewalls can make filtering decisions based on Application layer data. However, to do so, the firewall must be able to understand the corresponding Application layer protocol. As a result, these firewalls are often designed to filter data for a particular Application layer protocol, such as Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP). For example, an HTTP proxy can block malicious HTTP commands or otherwise undesirable Web traffic, but it might not be able to block malicious FTP traffic.
Circuit-Level Gateway Firewall
These types of firewalls monitor the Transmission Control Protocol (TCP) handshake process and allow only legitimate connection attempts. it can provide filtering services for many upper-level protocols, such as those that operate at the Presentation and Application layers. However, it cannot make filtering decisions based on the data contained within those layers, because it does not understand the Application layer or Presentation layer data.