TCP/IP has port numbers which indicate services that packets
should go to.
Firewalls inspect each packet going in and out of the
network, applying pattern matches on port numbers (and other
fields).
Firewalls can prevent packets entering or leaving
networks for some services.
Filters can be triggered and stateful eg if a Telnet connection
is ongoing to a host, then allow X connections from that host to the
telnet source, otherwise disallow X connections.
Genrally routed through static routed installed at ingress
points for networks, although can be more distributed eg through
tunneling.