In [[computer networks]], a '''[[network layer]] [[Firewall (networking)|firewall]]''' works as a [[packet filter]] by deciding what [[packet]]s will pass the firewall according to rules defined by the administrator. Filtering rules can act on the basis of source and destination address and on [[Port (computing)|port]]s, in addition to whatever higher-level [[network protocol]]s the packet contains. Network layer firewalls tend to operate very fast, and transparently to users.
{{Redirect category shell|1=
Network layer firewalls generally fall into two sub-categories, [[stateful firewall|stateful]] and [[stateless firewall|non-stateful]]. Stateful firewalls hold some information on the state of connections (for example: established or not, initiation, handshaking, data or breaking down the connection) as part of their rules (e.g. only hosts inside the firewall can establish connections on a certain port).
{{R from merge}}
}}
Stateless firewalls have packet-filtering capabilities but cannot make more complex decisions on what stage communications between hosts have reached. Stateless firewalls therefore offer less security. Stateless firewalls somewhat resemble a [[router]] in their ability to filter packets.
Any normal computer running an [[operating system]] which supports packet filtering and [[routing]] can function as a network layer firewall. Appropriate operating systems for such a configuration include [[Linux]], [[Solaris Operating Environment|Solaris]], [[Berkeley Software Distribution|BSD]]s or [[Windows Server]].
