Bird
Raised Fist0
Interview Prepcomputer-networkseasyAmazonGoogleMicrosoftFlipkartSwiggy

Firewall vs Proxy vs Reverse Proxy - Differences & Use Cases

Choose your preparation mode3 modes available
SolutionTrace

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Steps
setup

Packet originates from client

The client creates an HTTP request packet and prepares to send it to the server. The packet contains the request data and headers.

💡 Understanding the packet's origin and contents is crucial to follow how network components handle it.
Line:client.create_packet('HTTP GET /index.html')
💡 The packet starts at the client node, ready to traverse the network.
📊
Firewall vs Proxy vs Reverse Proxy - Differences & Use Cases - Watch the Algorithm Execute, Step by Step
Watching the packet flow step-by-step reveals how firewalls filter traffic, proxies act on behalf of clients, and reverse proxies protect backend servers, making these concepts concrete and intuitive.
Step 1/11
·Active fillAnswer cell
Client sends packet to firewall
Hop: 1
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromclient
tofirewall
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
src10.0.0.1:12345
dst93.184.216.34:80
dataHTTP GET /index.html
Packet created at client: HTTP GET /index.html
Firewall forwards allowed packet to proxy
Hop: 2
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromfirewall
toproxy
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
src10.0.0.1:12345
dst93.184.216.34:80
dataHTTP GET /index.html
Packet created at client: HTTP GET /index.html
Firewall inspects packet and allows it
Proxy prepares to forward packet on behalf of client
Hop: 3
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromproxy
toreverse_proxy
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst93.184.216.34:80
dataHTTP GET /index.html
Packet created at client: HTTP GET /index.html
Firewall inspects packet and allows it
Proxy server receives packet from firewall
Proxy forwards modified packet to reverse proxy
Hop: 4
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromproxy
toreverse_proxy
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst93.184.216.34:80
dataHTTP GET /index.html
Firewall inspects packet and allows it
Proxy server receives packet from firewall
Proxy modifies packet headers to hide client IP
Reverse proxy prepares to forward packet to backend server
Hop: 5
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromreverse_proxy
toserver
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst93.184.216.34:80
dataHTTP GET /index.html
Proxy server receives packet from firewall
Proxy modifies packet headers to hide client IP
Reverse proxy receives packet from proxy
Reverse proxy forwards modified packet to backend server
Hop: 6
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromreverse_proxy
toserver
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcreverse_proxy_ip:54321
dst192.168.1.10:80
dataHTTP GET /index.html
Proxy modifies packet headers to hide client IP
Reverse proxy receives packet from proxy
Reverse proxy modifies packet headers for backend
Backend server starts processing HTTP request
Hop: 7
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromserver
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcreverse_proxy_ip:54321
dst192.168.1.10:80
dataHTTP GET /index.html
Reverse proxy receives packet from proxy
Reverse proxy modifies packet headers for backend
Backend server receives packet from reverse proxy
Backend server sends response to reverse proxy
Hop: 8
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromserver
toreverse_proxy
📄 payloadHTTP 200 OK
🔌 protocolHTTP
🚩 flags
src192.168.1.10:80
dstreverse_proxy_ip:54321
dataHTTP 200 OK
Reverse proxy modifies packet headers for backend
Backend server receives packet from reverse proxy
Backend server processes HTTP request and prepares response
Reverse proxy prepares to forward response to proxy
Hop: 9
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromreverse_proxy
toproxy
📄 payloadHTTP 200 OK
🔌 protocolHTTP
🚩 flags
src192.168.1.10:80
dstreverse_proxy_ip:54321
dataHTTP 200 OK
Backend server receives packet from reverse proxy
Backend server processes HTTP request and prepares response
Reverse proxy receives response from backend server
Proxy sends response packet back to client
Hop: 10
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromproxy
toclient
📄 payloadHTTP 200 OK
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst10.0.0.1:12345
dataHTTP 200 OK
Backend server processes HTTP request and prepares response
Reverse proxy receives response from backend server
Proxy receives response and forwards to client
Client completes receiving response
Hop: 11
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromclient
📄 payloadHTTP 200 OK
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst10.0.0.1:12345
dataHTTP 200 OK
Reverse proxy receives response from backend server
Proxy receives response and forwards to client
Client receives HTTP 200 OK response

Key Takeaways

Firewalls filter traffic based on security rules before any other processing.

This filtering step is often invisible in code but critical to network security.

Proxies act on behalf of clients, modifying requests to provide anonymity and caching.

Seeing header modifications visually clarifies how proxies mask client identity.

Reverse proxies protect backend servers by intercepting requests and responses, hiding server details.

The reverse proxy’s role is subtle but essential for security and load balancing.

Practice

(1/5)
1. Trace the sequence of layers a data packet passes through when a user sends an email using SMTP over TCP/IP. Which order correctly represents the encapsulation process from the sender's perspective?
easy
A. Application -> Transport -> Internet -> Network Interface
B. Network Interface -> Internet -> Transport -> Application
C. Internet -> Transport -> Application -> Network Interface
D. Transport -> Application -> Internet -> Network Interface

Solution

  1. Step 1: Understand encapsulation order in TCP/IP model

    Data starts at the Application Layer (SMTP), then is passed down to Transport Layer (TCP) for segmentation and connection management, then to Internet Layer (IP) for routing, and finally to Network Interface Layer for physical transmission.

  2. Final Answer:

    Option A -> Option A

  3. Quick Check:

    Encapsulation order is top-down: Application -> Transport -> Internet -> Network Interface [OK]
Hint: Encapsulation flows top-down from Application to Network Interface
Common Mistakes:
  • Confusing encapsulation with decapsulation order
  • Mixing up Internet and Transport layers
  • Assuming Network Interface is the first layer
2. When a TCP packet is lost during transmission, what sequence of events occurs internally before the data is successfully received?
easy
A. The sender immediately retransmits the lost packet without waiting for any signal
B. The receiver sends an acknowledgment for the last correctly received packet, triggering retransmission after timeout
C. The receiver sends a negative acknowledgment (NAK) to request retransmission of the lost packet
D. The sender continues sending new packets without retransmitting lost ones

Solution

  1. Step 1: Understand TCP reliability mechanism

    TCP uses acknowledgments (ACKs) to confirm receipt of packets.

  2. Step 2: Lost packet detection

    If a packet is lost, the sender does not receive an ACK for it within a timeout period.

  3. Step 3: Retransmission trigger

    After timeout, the sender retransmits the lost packet.

  4. Step 4: Evaluate options

    The receiver sends an acknowledgment for the last correctly received packet, triggering retransmission after timeout correctly describes the process. The sender immediately retransmits the lost packet without waiting for any signal is incorrect because retransmission waits for timeout or duplicate ACKs. The receiver sends a negative acknowledgment (NAK) to request retransmission of the lost packet is incorrect; TCP does not use NAKs. The sender continues sending new packets without retransmitting lost ones ignores retransmission, violating TCP reliability.

  5. Final Answer:

    Option B -> Option B

  6. Quick Check:

    TCP relies on ACK timeouts to detect loss and trigger retransmission.
Hint: TCP retransmits after timeout triggered by missing ACKs, not immediately or via NAKs.
Common Mistakes:
  • Believing TCP uses negative acknowledgments (NAKs)
  • Thinking retransmission happens immediately without waiting
  • Assuming sender ignores lost packets
3. Which of the following statements about the idempotency of HTTP methods is INCORRECT?
medium
A. PUT is idempotent because sending the same request multiple times results in the same resource state.
B. DELETE is idempotent because deleting a resource multiple times has the same effect as deleting it once.
C. POST is idempotent because it creates a new resource each time it is called.
D. GET is idempotent and safe because it does not modify server state.

Solution

  1. Step 1: Review idempotency definitions

    Idempotent methods produce the same effect no matter how many times they are called.

  2. Step 2: Analyze each option

    A is correct: PUT replaces resource, repeated calls same effect.
    B is correct: DELETE repeated deletes same effect.
    D is correct: GET is safe and idempotent.
    C is incorrect: POST creates new resources each time, so not idempotent.

  3. Final Answer:

    Option C -> Option C

  4. Quick Check:

    POST is not idempotent because it changes server state differently on each call.
Hint: POST ≠ idempotent; PUT, DELETE, GET are idempotent
Common Mistakes:
  • Assuming POST is idempotent because it creates resources
  • Confusing safety with idempotency
  • Believing DELETE is not idempotent because it removes data
4. Why is it generally not advisable to set a fixed Retransmission Timeout (RTO) value in TCP instead of using an adaptive algorithm?
medium
A. Because fixed RTO values prevent the sender from using sequence numbers effectively
B. Because fixed RTO values increase the TCP header size, reducing throughput
C. Because fixed RTO values cause the receiver to drop out-of-order packets more frequently
D. Because a fixed RTO cannot adjust to varying network delays, leading to either premature retransmissions or long delays

Solution

  1. Step 1: Understand RTO purpose

    RTO determines when the sender retransmits unacknowledged segments, ideally matching network delay.

  2. Step 2: Analyze fixed vs adaptive RTO

    Fixed RTO cannot adapt to changing RTTs, causing retransmissions either too early (wasting bandwidth) or too late (increasing latency).

  3. Step 3: Evaluate options

    Because fixed RTO values prevent the sender from using sequence numbers effectively is incorrect; sequence number usage is unaffected by RTO. Because fixed RTO values increase the TCP header size, reducing throughput is false; RTO does not affect header size. Because fixed RTO values cause the receiver to drop out-of-order packets more frequently is unrelated to RTO. Because a fixed RTO cannot adjust to varying network delays, leading to either premature retransmissions or long delays correctly identifies the main drawback.

  4. Final Answer:

    Option D -> Option D

  5. Quick Check:

    Adaptive RTO improves efficiency by matching network conditions.
Hint: Adaptive RTO matches RTT; fixed RTO causes inefficiency.
Common Mistakes:
  • Believing fixed RTO affects TCP header size
  • Confusing RTO with receiver packet handling
  • Assuming RTO impacts sequence number usage
5. If a load balancer using IP Hash algorithm encounters clients behind a NAT (Network Address Translation) device, what is a potential challenge and how can it be mitigated?
hard
A. Clients behind NAT have different IPs, causing inconsistent routing; mitigation is to disable IP Hash and use Round Robin
B. Multiple clients share the same public IP, causing all their requests to be routed to the same server; mitigation involves using additional session identifiers beyond IP
C. NAT devices block IP Hash algorithms; mitigation is to switch to Least Connections
D. IP Hash cannot detect unhealthy servers behind NAT; mitigation is to increase health check frequency

Solution

  1. Step 1: Understand NAT impact on IP Hash

    NAT causes multiple clients to share a single public IP address.

  2. Step 2: Effect on IP Hash routing

    Since IP Hash uses client IP, all clients behind the same NAT get routed to the same backend server, potentially causing load imbalance.

  3. Step 3: Mitigation strategies

    Using additional session identifiers (cookies, tokens) can differentiate clients beyond IP, improving distribution.

  4. Step 4: Why other options are incorrect

    Clients behind NAT have different IPs, causing inconsistent routing; mitigation is to disable IP Hash and use Round Robin incorrectly states clients behind NAT have different IPs; they share one. NAT devices block IP Hash algorithms; mitigation is to switch to Least Connections falsely claims NAT blocks IP Hash. IP Hash cannot detect unhealthy servers behind NAT; mitigation is to increase health check frequency confuses health checks with NAT issues.

  5. Final Answer:

    Option B -> Option B

  6. Quick Check:

    NAT causes IP Hash collisions; use extra session info to mitigate.
Hint: NAT causes IP Hash collisions; add session IDs
Common Mistakes:
  • Assuming IP Hash works perfectly behind NAT
  • Thinking NAT changes client IPs individually
  • Confusing NAT issues with health check problems