Intuition The one-sentence idea
A firewall is a security guard at the network's door deciding which packets to let in/out.
A stateless guard checks each packet's "ID card" in isolation; a stateful guard
remembers who he already let in and uses that memory to make smarter decisions.
The internet delivers any packet to any reachable IP. Without filtering, the whole world can
knock on every port of your machine — scanning, exploiting, flooding. A firewall reduces the
attack surface by enforcing a policy: "only this kind of traffic is allowed; drop the rest."
The cheapest place to enforce policy is by inspecting packet headers , before the data
ever reaches an application.
Definition Packet filtering
Packet filtering = examining the header fields of each packet (IP addresses, protocol,
port numbers, TCP flags) and applying an ordered list of rules that either ALLOW or
DENY/DROP the packet. The default is usually deny-by-default (anything not explicitly
allowed is dropped).
The header fields a filter typically reads:
Layer
Field
Example use
IP (L3)
Source / Dest IP
block a bad subnet
IP (L3)
Protocol (TCP/UDP/ICMP)
allow only TCP
TCP/UDP (L4)
Source / Dest port
allow dst 443 (HTTPS)
TCP (L4)
Flags (SYN, ACK, FIN, RST)
spot connection starts
Definition Stateless (packet) filter
Judges each packet on its own , with no memory of past packets. Decision = f(this
packet's header, rule list). Also called a static or packetfilter .
Definition Stateful (inspection) filter
Keeps a connection state table (a.k.a. flow table ). It tracks each active connection
(its 5-tuple + TCP state) and judges a packet by asking: "Does this packet belong to a
connection I already approved?" Decision = f(this packet, + remembered connection state ).
Intuition The 5-tuple = a connection's fingerprint
A connection is identified by the 5-tuple :
( srcIP , dstIP , srcPort , dstPort , protocol ) (\text{srcIP},\ \text{dstIP},\ \text{srcPort},\ \text{dstPort},\ \text{protocol}) ( srcIP , dstIP , srcPort , dstPort , protocol )
The stateful firewall stores one row per active 5-tuple plus its TCP phase (e.g. SYN_SENT,
ESTABLISHED). That memory is the whole difference.
Intuition The core problem
You want to allow your laptop to browse the web (outbound to port 443) and receive the
reply. But the reply is an inbound packet. A stateless filter has no memory that you started
the conversation, so it must allow inbound packets using header tricks — which is leaky.
The classic stateless trick: allow inbound TCP packets only if they have the ACK bit set .
Intuition WHY the ACK trick works (mostly)
The very first packet of a new TCP connection is a SYN with ACK=0. Every later packet of
an established connection has ACK=1. So "allow inbound only if ACK=1" lets replies through
while blocking the first packet of a new inbound connection an attacker would send.
Example stateless ruleset (allow internal hosts to reach web servers, block new inbound conns):
#
Dir
Proto
Src
Dst
Dst Port
Flag
Action
1
out
TCP
10.0.0.0/24
any
80,443
—
ALLOW
2
in
TCP
any
10.0.0.0/24
>1023
ACK=1
ALLOW
3
*
*
any
any
any
—
DENY
Common mistake Steel-man: "The ACK trick is just as safe as stateful."
Why it feels right: real replies always have ACK=1, and the first inbound SYN is blocked,
so it seems watertight. Why it's wrong: an attacker can hand-craft a packet with ACK=1
that does not belong to any real connection. The stateless filter sees ACK=1, matches
rule #2, and lets it in — an ACK scan / spoofed-packet probe. A stateful filter checks its
table, finds no matching connection , and drops it. Fix: use stateful tracking, or at
least understand the residual risk of the ACK trick.
Intuition HOW — the connection life cycle
Outbound SYN leaves → firewall checks rules → if allowed, creates a state entry
(5-tuple, state = SYN_SENT).
Inbound SYN-ACK arrives → firewall looks up the table → matches the pending entry →
allows it automatically and updates state → SYN_RCVD/ESTABLISHED.
Subsequent data packets → matched to the ESTABLISHED entry → allowed without re-checking
the full rulebase (fast).
FIN/RST or a timeout → entry removed → future packets for that 5-tuple are dropped.
Worked example Example 2 — The legitimate reply
Server replies 93.184.216.34:443 → 10.0.0.5:50000, SYN-ACK.
Stateless: inbound, dst port 50000 (>1023), ACK=1 → matches rule #2 → ALLOW.
Why this step? It can only "trust the flag," not the conversation.
Stateful: look up reverse 5-tuple → entry exists → ALLOW, update to ESTABLISHED.
Why this step? Decision based on real memory , not a guessable flag.
Worked example Example 3 — Attacker's spoofed ACK probe
Attacker 66.66.66.66:80 → 10.0.0.5:50000 with ACK=1 , no prior handshake.
Stateless: inbound, port >1023, ACK=1 → matches rule #2 → ALLOW (BAD!) .
Why this step? The filter cannot tell a real reply from a forged ACK.
Stateful: look up 5-tuple → not in table → DROP (GOOD!) .
Why this step? No remembered connection ⇒ the packet is unsolicited.
Worked example Example 4 — Why stateful is needed for FTP / UDP
Active-mode FTP opens a second data connection on dynamic ports. A stateless rule would have
to open a huge port range permanently. A stateful firewall has an ALG (application-layer
gateway) helper that reads the FTP control channel, learns the negotiated data port, and
opens exactly that one temporarily. Why this step? State lets the firewall react to what
the protocol is doing, instead of guessing in advance.
Aspect
Stateless
Stateful
Memory of connections
None
Connection/state table
Return traffic
flag tricks (ACK)
automatic via table
Security vs spoofed packets
weak
strong
Memory / CPU cost
very low
higher (per-flow state)
Speed per packet
constant, simple
fast on established, table lookup
DoS via state exhaustion
not vulnerable
vulnerable (SYN flood fills table)
Dynamic protocols (FTP/SIP)
poor
good (ALGs)
Common mistake Steel-man: "Stateful is strictly better, so always use it."
Why it feels right: it's more accurate and handles return traffic cleanly. Why it's
incomplete: the state table is finite memory . A SYN-flood sends millions of half-open
SYNs, each creating an entry, exhausting RAM — a DoS the stateless box would shrug off.
Fix: combine with SYN cookies / rate limiting; choose per use case. Routers' fast ACLs are
often deliberately stateless.
Recall Feynman: explain to a 12-year-old
Imagine a doorman at a party. A forgetful doorman (stateless) checks each person's ticket
every single time but never remembers anyone — so a sneaky kid who says "I already came out, I'm
just going back in" can fool him if he wears the right badge. A smart doorman (stateful) keeps
a guest list of everyone he let in. When someone wants back in, he checks the list. If your
name isn't there, you don't get in — no matter what badge you wave. The smart doorman is safer,
but if a huge crowd rushes him with fake names, his notebook fills up and he gets overwhelmed.
"State = Slate." A stateful firewall writes connections on a slate (it remembers).
A stateless firewall has no slate — it forgets each packet. And the trick word for
return traffic: "ACK = Already Came (b)acK" — ACK=1 means it claims to be returning, but
only the slate can prove it.
What identifies a single connection in a firewall state table? The 5-tuple: srcIP, dstIP, srcPort, dstPort, protocol
Key difference between stateless and stateful filtering? Stateless judges each packet alone with no memory; stateful keeps a connection state table and checks if a packet belongs to an approved connection.
What header trick lets a stateless filter allow return traffic? Allow inbound TCP only if the ACK bit is set (ACK=1), since new connections start with a SYN (ACK=0).
Why is the ACK trick insecure? An attacker can forge a packet with ACK=1 that belongs to no real connection; stateless lets it in, stateful drops it (no matching table entry).
What flag distinguishes the first packet of a new TCP connection? SYN with ACK=0.
What happens in a stateful firewall when an outbound SYN is allowed? It creates a state-table entry (5-tuple, state SYN_SENT) so the reply is automatically permitted.
What attack specifically exploits stateful firewalls but not stateless ones? SYN flood / state-table exhaustion — many half-open connections fill the finite state table (DoS).
Why does active-mode FTP need a stateful firewall? It opens a second data connection on a dynamically negotiated port; an ALG reads the control channel and opens exactly that port temporarily.
Default policy of a well-configured firewall? Deny-by-default: drop anything not explicitly allowed.
When is a state entry removed? On TCP FIN/RST teardown or after an idle timeout.
TCP Three-Way Handshake — SYN/SYN-ACK/ACK is why the ACK trick and state tracking work.
TCP Flags (SYN ACK FIN RST) — the bits a filter reads.
Network Address Translation (NAT) — also keeps a per-flow table, conceptually stateful.
Access Control Lists (ACLs) — router ACLs are the classic stateless implementation.
Denial of Service Attacks — SYN flood vs state exhaustion.
OSI Model — Layers 3 and 4 — which headers live where.
Application Layer Gateways / Proxies — deeper inspection beyond headers.
judges each packet, no memory
Firewall = security guard
Packet filtering on headers
Intuition Hinglish mein samjho
Socho firewall ek darwaaze ka guard hai jo decide karta hai kaun-sa packet andar/bahar jaa sakta
hai. Stateless filter har packet ko alag-alag dekhta hai — uski koi memory nahi hoti. Wo bas
header fields (source/dest IP, port, TCP flags) padhta hai aur rule list ke hisaab se ALLOW ya DROP
karta hai. Problem ye hai: jab aap web browse karte ho (outbound port 443), to reply inbound
aata hai. Stateless ko yaad nahi ki aapne conversation start ki thi, isliye wo ek trick use karta
hai — "inbound packet tabhi allow karo jab uska ACK bit set ho." Kyunki naye connection ka pehla
SYN packet ACK=0 hota hai, aur baad ke saare packets ACK=1.
Lekin yahin pe loophole hai. Attacker khud se ek fake packet bana sakta hai jismein ACK=1 hai,
bina kisi real handshake ke. Stateless filter sochta hai "ACK hai, matlab reply hoga" aur use
andar aane deta hai — ye hai ACK scan / spoof attack . Stateful firewall yahan smart nikalta
hai: wo ek state table rakhta hai jismein har active connection ka 5-tuple (srcIP, dstIP,
srcPort, dstPort, protocol) aur uska TCP state stored hota hai. Jab spoofed ACK aata hai, firewall
table mein dekhta hai, koi matching entry nahi milti, to seedha DROP .
Stateful zyada safe hai, return traffic automatically handle karta hai, aur FTP jaise dynamic
protocols ke liye ALG helper se exact port temporarily open karta hai. Par ek catch: state table
ki memory limited hai. SYN flood attack mein attacker laakhon half-open SYN bhejta hai, table
bhar jaata hai, aur firewall thak jaata hai (DoS). Stateless is se affect nahi hota kyunki wo kuch
yaad hi nahi rakhta. Yaad rakhne ka tareeka: "State = Slate" — stateful ke paas slate (notebook)
hai jis pe wo connections likhta hai; stateless ke paas slate nahi, sab bhool jaata hai. Exam aur
real-world dono mein: jab security chahiye to stateful, jab pure speed/simple ACL chahiye to
stateless.