Before we start, one tiny reminder so no symbol is used unearned.
The shared ruleset for the whole page (identical to the parent's table):
#
Dir
Proto
Src
Dst
Dst Port
Flag
Action
1
out
TCP
10.0.0.0/24
any
80, 443
—
ALLOW
2
in
TCP
any
10.0.0.0/24
> 1023
ACK=1
ALLOW
3
*
*
any
any
any
—
DENY
Here "10.0.0.0/24" means "any address whose first three numbers are 10.0.0" — the internal LAN. Ports > 1023 are the ephemeral (temporary) ports a client picks for itself.
This is a stateless (static / packet) filter — decision = f(this packet's header, rules).
The header trick for return traffic is: allow inbound only if the TCP ACK bit = 1, because
the first packet of any new connection is a lone SYN (ACK=0) and every later packet has ACK=1.
Recall Solution 1.2
50000 is the ephemeral client port (> 1023, chosen by the laptop). 443 is the well-known
service port (HTTPS). The client always dials the server's fixed door; it answers from a
temporary door of its own.
Stateless: direction = out, proto = TCP, dst port = 443 → matches rule #1 → ALLOW.
No entry created (it has no table).
Stateful: matches the same outbound policy → ALLOWand creates the entry
(10.0.0.5,93.184.216.34,50000,443,TCP,state=SYN_SENT)
The firewall now remembers this conversation. See the flow in the figure below.
Recall Solution 2.2
Stateless: direction = in, dst = 10.0.0.5 (inside /24), dst port 50000 > 1023, ACK=1
→ matches rule #2 → ALLOW. It trusts the flag, not the conversation.
Stateful: look up the reverse 5-tuple — swap src/dst so the row from 2.1 matches —
entry found → ALLOW, update state SYN_SENT → ESTABLISHED. Decision made on real memory.
Stateless: in, dst inside 10.0.0.0/24, dst port 50000 > 1023, ACK=1 → matches rule #2
→ ALLOW (BAD). This is the ACK scan / spoofed-probe weakness: a lone forged ACK is
indistinguishable, header-wise, from a genuine reply.
Stateful: canonicalise and look up the 5-tuple → no matching entry (no SYN was ever sent
to 66.66.66.66) → DROP (GOOD). Memory beats the flag trick.
The two decision paths are contrasted in the figure below.
Recall Solution 3.2
Only the first outbound SYN hits the full rulebase → 1 full-rulebase evaluation.
Every other packet is matched against the state table. Total packets:
1+1+1+40+2=45.
Table lookups (all packets after the first) =45−1=44. This is why stateful firewalls are
fast on established flows: the expensive check happens once per connection, not once per packet.
The data port P is negotiated at runtime and differs per session. A stateless filter has
no way to learn P, so its only options are (a) permanently open a huge inbound port range
(a gaping hole), or (b) block the data connection entirely (FTP breaks). Both are bad.
The fix is a stateful ALG (Application-Layer Gateway), from
Application Layer Gateways / Proxies: it reads the FTP control channel, parses the
announced port P, and opens exactly that one port temporarily, tearing it down when the
transfer ends. State lets the firewall react to what the protocol is doing rather than guess in
advance.
Recall Solution 4.2
Stateless:
#
Dir
Proto
Dst Port
Flag
Action
1
out
TCP
443
—
ALLOW
2
out
UDP
53
—
ALLOW
3
in
TCP
>1023
ACK=1
ALLOW
4
in
UDP
>1023
—
ALLOW
5
*
*
any
—
DENY
Stateful:
#
Dir
Proto
Dst Port
Action
1
out
TCP
443
ALLOW + track
2
out
UDP
53
ALLOW + track
3
in
any
—
ALLOW iff in state table
4
*
*
any
DENY
The field stateless cannot protect: UDP has no ACK bit. Rule #4 in the stateless version
lets any inbound UDP to a high port through — an attacker can spray forged UDP replies. The
stateful box only admits UDP that matches a tracked outbound DNS query (matched by 5-tuple +
short timeout), closing that hole.
Entries accumulate for the timeout window T before old ones expire, so at steady state the
table holds about r×T entries. To fill capacity C:
r×T≥C⟹r≥TC.(a)r≥601,000,000≈16,667 SYNs/second.
(b)r≥101,000,000=100,000 SYNs/second — a shorter timeout forces the
attacker to a 6× higher rate, harder to sustain and easier to spot.
(c) The stateless box stores nothing per connection, so there is no finite table to
exhaust — it simply rate-limits or forwards each SYN and moves on.
Recall Solution 5.2
Edge, stateless fast ACLs (Access Control Lists (ACLs)) drop obviously bad subnets and
rate-limit at line rate — cheap, DoS-resistant first sieve.
Stateful core tracks the 5-tuple (OSI Model — Layers 3 and 4 fields) so return traffic
is automatic and forged ACKs are dropped (Exercise 3.1).
SYN cookies + short half-open timeout protect the state table (Exercise 5.1) against
Denial of Service Attacks — the firewall answers SYNs without allocating an entry until the
handshake completes.
ALGs (Application Layer Gateways / Proxies) open dynamic FTP/SIP data ports on demand
(Exercise 4.1).
Network Address Translation (NAT) already keeps a translation table per flow, so it
naturally reinforces the stateful return-traffic logic.
Principle:Filter cheaply and statelessly at the edge; track state where accuracy matters;
never let the state table become the single point an attacker can exhaust.
Recall Master recall (cloze)
The forgetful firewall type ::: stateless (static / packet filter)
The field it (ab)uses to allow return TCP traffic ::: the ACK bit
Why the ACK trick fails ::: an attacker can forge ACK=1 with no real connection
What a stateful firewall stores per flow ::: a state-table row (5-tuple + TCP state)
The DoS a stateful box is uniquely vulnerable to ::: SYN flood (state exhaustion)
Why UDP needs stateful/ALG, not the ACK trick ::: UDP has no flags — no first-vs-reply bit
The helper that opens dynamic FTP data ports ::: an ALG (application-layer gateway)