# Concepts

## Firewall

The Firewall is a set of smart contracts that work together to provide a robust on-chain security layer to your protocol. When a transaction is sent to your protocol it first reaches the Firewall *(through our function modifiers, or with our Firewall Proxy)* which examines the transaction with a set of security policies.

Once the transaction is allowed to proceed, your protocol executes the transaction as normal.

After your protocol finished executing the transaction, the Firewall will run additional Post-Execution policies to make sure the transaction did not change your protocol's state in a way that violates your business logic *(if it did, the transaction will be reverted and your protocol remains unharmed)*.

<figure><img src="/files/MJxi8o9lRBLaM8HC6KmN" alt=""><figcaption></figcaption></figure>

## Policy

A Policy is a set of security rules that define what transactions can or can't do on your protocol. Each policy is a specialized smart contract that is engineered to surgically detect and prevent an attack vector.

Policies are owned and deployed by you - the protocol owner - allowing you to apply the same governance requirements of your protocol to your security policies.

## On-chain & Off-chain

The Firewall is a fully on-chain solution, meaning all the security policies are deployed on-chain and are run on-chain. This allows the Firewall to provide robust security to your protocol in real-time. Unless otherwise stated, all of our security policies run strictly on-chain - i.e. as smart contracts that run on the blockchain itself.

Some Policies *(such as the* [*Approved Calls with Signature*](/firewall/policies/approved-calls.md)*)* can provide an additional layer of security to protect against select behaviors by integrating with off-chain services.

Off-chain services are run on standard Web2 services, and are not part of the blockchain itself.

## Signer API

For extra-sensitive transactions that require an additional layer of security checks, we created the Signer API. Coupled with the [Approved Calls with Signature](/firewall/policies/approved-calls.md), this API allows Firewall Consumers to acquire a secure signature for transaction data before allowing it to go on-chain.

An end user will send their transaction to this API, where it will go through advanced off-chain security checks. If all checks pass, the user will receive a secure signature that they can use to pre-approve the transaction on-chain. Otherwise, the transaction will not be allowed to pass through the [Firewall](#firewall).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ironblocks.com/firewall/concepts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.