Firewall

When people in packet captures say “see whether the five-tuple changed,” they are not using another name for a TCP connection. The five-tuple is the smallest practical identifier for a network flow. NAT, firewalls, load balancers, and connection tracking all depend on it.

Looking at only one IP address is not enough. Two hosts can have many simultaneous connections, even to the same service. Looking at only one port is not enough either, because the same port numbers repeat across different hosts. The network and the kernel need a combination that is small enough to operate on and stable enough to answer questions like: is this the same flow, is this a return packet, and should this state table entry be reused?

Many network failures look like “the service never started”, “the port is not listening”, or “the peer did not reply”. When you keep tracing them, you often discover a firewall policy boundary in the middle. The application thinks it is only connecting to 443. Operations thinks only one security-group rule was opened. The user thinks “if ping works, access should work too”. In reality, the traffic is often being judged by a device or host in the middle that decides whether this flow is allowed to pass.