Bird
Raised Fist0
Interview Prepcomputer-networkseasyAmazonGoogleMicrosoftFlipkartSwiggy

Firewall vs Proxy vs Reverse Proxy - Differences & Use Cases

Choose your preparation mode3 modes available
SolutionTrace

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Steps
setup

Packet originates from client

The client creates an HTTP request packet and prepares to send it to the server. The packet contains the request data and headers.

💡 Understanding the packet's origin and contents is crucial to follow how network components handle it.
Line:client.create_packet('HTTP GET /index.html')
💡 The packet starts at the client node, ready to traverse the network.
📊
Firewall vs Proxy vs Reverse Proxy - Differences & Use Cases - Watch the Algorithm Execute, Step by Step
Watching the packet flow step-by-step reveals how firewalls filter traffic, proxies act on behalf of clients, and reverse proxies protect backend servers, making these concepts concrete and intuitive.
Step 1/11
·Active fillAnswer cell
Client sends packet to firewall
Hop: 1
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromclient
tofirewall
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
src10.0.0.1:12345
dst93.184.216.34:80
dataHTTP GET /index.html
Packet created at client: HTTP GET /index.html
Firewall forwards allowed packet to proxy
Hop: 2
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromfirewall
toproxy
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
src10.0.0.1:12345
dst93.184.216.34:80
dataHTTP GET /index.html
Packet created at client: HTTP GET /index.html
Firewall inspects packet and allows it
Proxy prepares to forward packet on behalf of client
Hop: 3
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromproxy
toreverse_proxy
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst93.184.216.34:80
dataHTTP GET /index.html
Packet created at client: HTTP GET /index.html
Firewall inspects packet and allows it
Proxy server receives packet from firewall
Proxy forwards modified packet to reverse proxy
Hop: 4
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromproxy
toreverse_proxy
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst93.184.216.34:80
dataHTTP GET /index.html
Firewall inspects packet and allows it
Proxy server receives packet from firewall
Proxy modifies packet headers to hide client IP
Reverse proxy prepares to forward packet to backend server
Hop: 5
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromreverse_proxy
toserver
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst93.184.216.34:80
dataHTTP GET /index.html
Proxy server receives packet from firewall
Proxy modifies packet headers to hide client IP
Reverse proxy receives packet from proxy
Reverse proxy forwards modified packet to backend server
Hop: 6
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromreverse_proxy
toserver
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcreverse_proxy_ip:54321
dst192.168.1.10:80
dataHTTP GET /index.html
Proxy modifies packet headers to hide client IP
Reverse proxy receives packet from proxy
Reverse proxy modifies packet headers for backend
Backend server starts processing HTTP request
Hop: 7
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromserver
📄 payloadHTTP GET /index.html
🔌 protocolHTTP
🚩 flags
srcreverse_proxy_ip:54321
dst192.168.1.10:80
dataHTTP GET /index.html
Reverse proxy receives packet from proxy
Reverse proxy modifies packet headers for backend
Backend server receives packet from reverse proxy
Backend server sends response to reverse proxy
Hop: 8
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromserver
toreverse_proxy
📄 payloadHTTP 200 OK
🔌 protocolHTTP
🚩 flags
src192.168.1.10:80
dstreverse_proxy_ip:54321
dataHTTP 200 OK
Reverse proxy modifies packet headers for backend
Backend server receives packet from reverse proxy
Backend server processes HTTP request and prepares response
Reverse proxy prepares to forward response to proxy
Hop: 9
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromreverse_proxy
toproxy
📄 payloadHTTP 200 OK
🔌 protocolHTTP
🚩 flags
src192.168.1.10:80
dstreverse_proxy_ip:54321
dataHTTP 200 OK
Backend server receives packet from reverse proxy
Backend server processes HTTP request and prepares response
Reverse proxy receives response from backend server
Proxy sends response packet back to client
Hop: 10
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromproxy
toclient
📄 payloadHTTP 200 OK
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst10.0.0.1:12345
dataHTTP 200 OK
Backend server processes HTTP request and prepares response
Reverse proxy receives response from backend server
Proxy receives response and forwards to client
Client completes receiving response
Hop: 11
Client
Firewall
Proxy Server
Reverse Proxy
Web Server
📦Packet
fromclient
📄 payloadHTTP 200 OK
🔌 protocolHTTP
🚩 flags
srcproxy_ip:54321
dst10.0.0.1:12345
dataHTTP 200 OK
Reverse proxy receives response from backend server
Proxy receives response and forwards to client
Client receives HTTP 200 OK response

Key Takeaways

Firewalls filter traffic based on security rules before any other processing.

This filtering step is often invisible in code but critical to network security.

Proxies act on behalf of clients, modifying requests to provide anonymity and caching.

Seeing header modifications visually clarifies how proxies mask client identity.

Reverse proxies protect backend servers by intercepting requests and responses, hiding server details.

The reverse proxy’s role is subtle but essential for security and load balancing.

Practice

(1/5)
1. Trace the sequence of events in TCP congestion control using AIMD when packet loss is detected via triple duplicate ACKs.
easy
A. Immediately stop sending data until timeout expires
B. Reset congestion window to 1 MSS and start slow start again
C. Cut congestion window to half, then increase linearly after each ACK
D. Ignore loss and continue increasing congestion window exponentially

Solution

  1. Step 1: Identify AIMD response to triple duplicate ACKs

    On triple duplicate ACKs, TCP performs fast retransmit and fast recovery, cutting congestion window to half.

  2. Step 2: Understand congestion window growth after loss

    After halving, TCP increases congestion window linearly (additive increase) to probe for available bandwidth.

  3. Step 3: Differentiate from timeout behavior

    Timeout triggers slow start (reset to 1 MSS), not triple duplicate ACKs.

  4. Step 4: Reject ignoring loss or stopping sending

    Ignoring loss or stopping immediately are incorrect TCP behaviors.

  5. Final Answer:

    Option C -> Option C

  6. Quick Check:

    Triple duplicate ACKs -> halve cwnd -> linear increase.
Hint: Triple duplicate ACKs -> fast retransmit + halve cwnd; timeout -> slow start.
Common Mistakes:
  • Confusing timeout and triple duplicate ACK loss signals
  • Assuming exponential growth continues after loss
  • Believing TCP stops sending immediately on loss
2. You are designing a live video streaming app where minimal delay is critical, and occasional frame loss is acceptable. Which transport protocol is most suitable?
easy
A. TCP, because it uses congestion control to avoid packet loss
B. TCP, because it guarantees delivery and order of packets
C. UDP, because it provides faster transmission without waiting for acknowledgments
D. UDP, because it establishes a connection before sending data

Solution

  1. Step 1: Identify the key requirement -- minimal delay with acceptable occasional loss

    Live video streaming prioritizes speed over perfect reliability.

  2. Step 2: Analyze TCP characteristics

    TCP guarantees delivery and order but introduces delay due to acknowledgments and retransmissions.

  3. Step 3: Analyze UDP characteristics

    UDP is connectionless and does not wait for acknowledgments, enabling faster transmission at the cost of possible packet loss.

  4. Step 4: Evaluate options

    UDP, because it provides faster transmission without waiting for acknowledgments correctly matches the scenario needs. TCP options prioritize reliability over speed. UDP does not establish a connection before sending data, so that option is incorrect.

  5. Final Answer:

    Option C -> Option C

  6. Quick Check:

    UDP is preferred for real-time applications where speed matters more than reliability.
Hint: Use UDP for speed when some loss is okay; TCP for reliability when loss is not acceptable.
Common Mistakes:
  • Assuming TCP is always better because it guarantees delivery
  • Believing UDP establishes a connection like TCP
  • Confusing congestion control with speed priority
3. Why might DHCP not be suitable for assigning IP addresses in a network with extremely high client churn and very short connection durations?
medium
A. Because the overhead of frequent DHCP Discover and Request messages can cause network congestion
B. Because DHCP cannot assign IP addresses dynamically in such environments
C. Because DHCP servers do not support IP address leasing
D. Because clients must manually configure IP addresses in such cases

Solution

  1. Step 1: Understand DHCP overhead

    Each new client connection triggers the DORA sequence, which adds network traffic.

  2. Step 2: Analyze impact of high churn

    Frequent IP requests can overload the DHCP server and increase broadcast traffic, causing congestion.

  3. Step 3: Evaluate other options

    Because DHCP cannot assign IP addresses dynamically in such environments is false; DHCP is designed for dynamic assignment. Because DHCP servers do not support IP address leasing is incorrect; DHCP supports leasing. Because clients must manually configure IP addresses in such cases is unrelated to DHCP limitations.

  4. Final Answer:

    Option A -> Option A

  5. Quick Check:

    High churn leads to excessive DHCP message overhead.
Hint: High churn -> many DHCP messages -> potential congestion
Common Mistakes:
  • Believing DHCP cannot assign dynamically in such cases
  • Confusing DHCP leasing with static assignment
  • Assuming manual configuration is required when DHCP is unsuitable
4. Why is it generally not advisable for a server to respond with a 2xx status code when the requested resource is actually missing but the server provides a default placeholder page instead?
medium
A. Because 2xx codes indicate success, which misleads clients and search engines about the resource's existence.
B. Because 2xx codes cause the client to retry the request unnecessarily.
C. Because 2xx codes trigger client-side caching that prevents future requests.
D. Because 2xx codes force the client to redirect to another URL.

Solution

  1. Step 1: Understand the semantics of 2xx status codes

    2xx codes mean the request succeeded and the resource is validly returned.

  2. Step 2: Analyze implications of sending 2xx for a missing resource

    Sending 2xx with a placeholder hides the fact the resource is missing, misleading clients and search engines.

  3. Step 3: Analyze options

    Because 2xx codes force the client to redirect to another URL. is incorrect because 2xx does not cause redirects.
    Because 2xx codes cause the client to retry the request unnecessarily. is incorrect because 2xx does not cause retries.
    Because 2xx codes trigger client-side caching that prevents future requests. is incorrect because caching depends on headers, not just status codes.
    Because 2xx codes indicate success, which misleads clients and search engines about the resource's existence. correctly states that 2xx indicates success, which misleads clients and search engines about the resource's existence.

  4. Final Answer:

    Option A -> Option A

  5. Quick Check:

    2xx means success; misusing it hides errors and breaks client expectations.
Hint: 2xx = success; don't fake success for missing resources
Common Mistakes:
  • Thinking 2xx can be used to mask missing resources
  • Believing 2xx causes retries or redirects
  • Confusing caching behavior with status codes
5. Why might NAT64 not be a suitable long-term solution for IPv6 transition despite enabling IPv6-only clients to access IPv4 servers?
medium
A. Because NAT64 requires all IPv4 addresses to be globally routable, which is not always true
B. Because NAT64 increases header size significantly, causing fragmentation issues
C. Because NAT64 cannot translate IPv6 multicast addresses to IPv4
D. Because NAT64 requires dual-stack support on all devices

Solution

  1. Step 1: Understand NAT64 limitations

    NAT64 translates IPv6 to IPv4 but depends on reachable IPv4 addresses.

  2. Step 2: Analyze options

    Because NAT64 requires all IPv4 addresses to be globally routable, which is not always true correctly identifies the limitation that many IPv4 addresses are private or non-routable, limiting NAT64's reach. Because NAT64 increases header size significantly, causing fragmentation issues is incorrect; NAT64 does not increase header size significantly. Because NAT64 cannot translate IPv6 multicast addresses to IPv4 is true but less critical as multicast translation is rare. Because NAT64 requires dual-stack support on all devices is false; NAT64 is used to avoid dual-stack on clients.

  3. Final Answer:

    Option A -> Option A

  4. Quick Check:

    NAT64 depends on globally routable IPv4 addresses, which limits its scope.
Hint: NAT64 needs reachable IPv4 addresses, which aren't always available [OK]
Common Mistakes:
  • Assuming NAT64 requires dual-stack everywhere
  • Overestimating header overhead in NAT64
  • Ignoring IPv4 address reachability constraints