Which firewall operates at the network layer and analyzes each packet using criteria such as source/destination IP, source/destination port, and protocol to decide to drop or forward?

Packet filtering firewall checks each packet's header information—source and destination IP addresses, source and destination ports, and protocol—to decide whether to drop or forward. This operates at the network layer (and at times the transport layer) and makes decisions based solely on header fields, without inspecting payload or tracking connection state. That simplicity and per-packet decision-making match the described behavior. Other firewall types go beyond header checks: circuit-level gateways focus on TCP session handshakes at the session layer, stateful multilayer inspection tracks connections across multiple layers, and application-level proxies terminate and inspect application data at the application layer. So the packet-filtering approach is the best fit for per-packet, header-based decisions at the network layer.