The residential firewall protects a home by tracking all flows to or from the home. Only inbound traffic that matches flows that originated inside of the home is allowed to pass through the firewall. By blocking other flows, an attacker cannot initiate a connection to a vulnerable service within the home. The residential firewall also provides protection against fingerprinting, port scanning, and DoS attacks. The dynamic flow tracking functionality provides a better user experience compared to static firewall rules because it does not limit any connection that has been set up within the home.
The residential firewall is based entirely on the tracking of Layer 3 and Layer 4 flows. Minimal application layer gateway (ALG) support is provided to allow protocols that use multiple flows, but application layer protection is not supported. The firewall only supports IPv6 flows. It is recommended to use Layer 2-aware NAT to provide similar protection for IPv4 flows within the same residential subscriber.