Firewalls, specifically hardware appliance firewalls, typically have two or more network interfaces. A firewall with two interfaces is known as a dual-homed firewall, while a firewall with three interfaces is known as a triple-homed firewall or a three-legged firewall.

The benefit of multiple interfaces is that the segments, subnets, or networks connected to each firewall interface are electronically isolated from each other. This prevents unfiltered traffic from leaping from one segment to another in an attempt to bypass firewall filtering.

However, for software firewalls using multiple interfaces, you need to ensure that the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol feature called IP forwarding is disabled. IP forwarding is actually a router rule that allows traffic from one interface to exit another interface without needing to move any further up the protocol static than where IP resides. In many cases, IP forwarding allows packets to bypass filtering. If the system is to function as a firewall, you should disable this feature.

Software host firewalls are most often single-homed firewalls, since the host has only a single NIC. This is acceptable, since the software host firewall is not providing sentry services between network segments, except between the host and the network.

While firewalls with four or more interfaces are possible, these are rarely deployed. Such a configuration requires significantly more complex filtering and routing rules to operate effectively. It’s also a significant single point of failure and a bottleneck to traffic flow between multiple network segments.