4.3.29Computer Networks

Firewalls — stateless vs stateful packet filtering

2,415 words11 min readdifficulty · medium1 backlinks

WHY do firewalls exist at all?

The header fields a filter typically reads:

Layer Field Example use
IP (L3) Source / Dest IP block a bad subnet
IP (L3) Protocol (TCP/UDP/ICMP) allow only TCP
TCP/UDP (L4) Source / Dest port allow dst 443 (HTTPS)
TCP (L4) Flags (SYN, ACK, FIN, RST) spot connection starts

WHAT is the difference? Stateless vs Stateful

Figure — Firewalls — stateless vs stateful packet filtering

HOW does a stateless filter handle return traffic? (the hard part)

The classic stateless trick: allow inbound TCP packets only if they have the ACK bit set.

Example stateless ruleset (allow internal hosts to reach web servers, block new inbound conns):

# Dir Proto Src Dst Dst Port Flag Action
1 out TCP 10.0.0.0/24 any 80,443 ALLOW
2 in TCP any 10.0.0.0/24 >1023 ACK=1 ALLOW
3 * * any any any DENY

HOW does a stateful filter work? (step by step)


Worked examples


Trade-offs summary

Aspect Stateless Stateful
Memory of connections None Connection/state table
Return traffic flag tricks (ACK) automatic via table
Security vs spoofed packets weak strong
Memory / CPU cost very low higher (per-flow state)
Speed per packet constant, simple fast on established, table lookup
DoS via state exhaustion not vulnerable vulnerable (SYN flood fills table)
Dynamic protocols (FTP/SIP) poor good (ALGs)

Recall Feynman: explain to a 12-year-old

Imagine a doorman at a party. A forgetful doorman (stateless) checks each person's ticket every single time but never remembers anyone — so a sneaky kid who says "I already came out, I'm just going back in" can fool him if he wears the right badge. A smart doorman (stateful) keeps a guest list of everyone he let in. When someone wants back in, he checks the list. If your name isn't there, you don't get in — no matter what badge you wave. The smart doorman is safer, but if a huge crowd rushes him with fake names, his notebook fills up and he gets overwhelmed.


Active recall

What identifies a single connection in a firewall state table?
The 5-tuple: srcIP, dstIP, srcPort, dstPort, protocol
Key difference between stateless and stateful filtering?
Stateless judges each packet alone with no memory; stateful keeps a connection state table and checks if a packet belongs to an approved connection.
What header trick lets a stateless filter allow return traffic?
Allow inbound TCP only if the ACK bit is set (ACK=1), since new connections start with a SYN (ACK=0).
Why is the ACK trick insecure?
An attacker can forge a packet with ACK=1 that belongs to no real connection; stateless lets it in, stateful drops it (no matching table entry).
What flag distinguishes the first packet of a new TCP connection?
SYN with ACK=0.
What happens in a stateful firewall when an outbound SYN is allowed?
It creates a state-table entry (5-tuple, state SYN_SENT) so the reply is automatically permitted.
What attack specifically exploits stateful firewalls but not stateless ones?
SYN flood / state-table exhaustion — many half-open connections fill the finite state table (DoS).
Why does active-mode FTP need a stateful firewall?
It opens a second data connection on a dynamically negotiated port; an ALG reads the control channel and opens exactly that port temporarily.
Default policy of a well-configured firewall?
Deny-by-default: drop anything not explicitly allowed.
When is a state entry removed?
On TCP FIN/RST teardown or after an idle timeout.

Connections

  • TCP Three-Way Handshake — SYN/SYN-ACK/ACK is why the ACK trick and state tracking work.
  • TCP Flags (SYN ACK FIN RST) — the bits a filter reads.
  • Network Address Translation (NAT) — also keeps a per-flow table, conceptually stateful.
  • Access Control Lists (ACLs) — router ACLs are the classic stateless implementation.
  • Denial of Service Attacks — SYN flood vs state exhaustion.
  • OSI Model — Layers 3 and 4 — which headers live where.
  • Application Layer Gateways / Proxies — deeper inspection beyond headers.

Concept Map

enforces via

default is

reduces

implemented as

implemented as

judges each packet, no memory

solved leakily by

remembers using

one row per

checks membership of

cleanly handles

Firewall = security guard

Packet filtering on headers

Deny-by-default policy

Stateless filter

Stateful filter

5-tuple fingerprint

Connection state table

ACK-bit trick

Return traffic problem

Reduced attack surface

Hinglish (regional understanding)

Intuition Hinglish mein samjho

Socho firewall ek darwaaze ka guard hai jo decide karta hai kaun-sa packet andar/bahar jaa sakta hai. Stateless filter har packet ko alag-alag dekhta hai — uski koi memory nahi hoti. Wo bas header fields (source/dest IP, port, TCP flags) padhta hai aur rule list ke hisaab se ALLOW ya DROP karta hai. Problem ye hai: jab aap web browse karte ho (outbound port 443), to reply inbound aata hai. Stateless ko yaad nahi ki aapne conversation start ki thi, isliye wo ek trick use karta hai — "inbound packet tabhi allow karo jab uska ACK bit set ho." Kyunki naye connection ka pehla SYN packet ACK=0 hota hai, aur baad ke saare packets ACK=1.

Lekin yahin pe loophole hai. Attacker khud se ek fake packet bana sakta hai jismein ACK=1 hai, bina kisi real handshake ke. Stateless filter sochta hai "ACK hai, matlab reply hoga" aur use andar aane deta hai — ye hai ACK scan / spoof attack. Stateful firewall yahan smart nikalta hai: wo ek state table rakhta hai jismein har active connection ka 5-tuple (srcIP, dstIP, srcPort, dstPort, protocol) aur uska TCP state stored hota hai. Jab spoofed ACK aata hai, firewall table mein dekhta hai, koi matching entry nahi milti, to seedha DROP.

Stateful zyada safe hai, return traffic automatically handle karta hai, aur FTP jaise dynamic protocols ke liye ALG helper se exact port temporarily open karta hai. Par ek catch: state table ki memory limited hai. SYN flood attack mein attacker laakhon half-open SYN bhejta hai, table bhar jaata hai, aur firewall thak jaata hai (DoS). Stateless is se affect nahi hota kyunki wo kuch yaad hi nahi rakhta. Yaad rakhne ka tareeka: "State = Slate" — stateful ke paas slate (notebook) hai jis pe wo connections likhta hai; stateless ke paas slate nahi, sab bhool jaata hai. Exam aur real-world dono mein: jab security chahiye to stateful, jab pure speed/simple ACL chahiye to stateless.

Go deeper — visual, from zero

Test yourself — Computer Networks

Connections