4.3.29 · D5Computer Networks

Question bank — Firewalls — stateless vs stateful packet filtering

1,347 words6 min readBack to topic

True or false — justify

A stateless firewall keeps no memory of past packets.
True. It decides on this packet's header alone against the rule list; every packet is judged as if it were the first one ever seen.
A stateful firewall never needs explicit rules, only its state table.
False. The first packet of a new connection (the outbound SYN) has no table entry yet, so it must be judged by an explicit ALLOW/DENY rule before any state is created.
"Allow inbound only if ACK=1" is enough to block all unsolicited inbound connections.
False. It blocks the initial SYN (ACK=0), but an attacker can hand-craft a lone packet with ACK=1 that matches no real connection — the stateless filter still lets it in (see TCP Flags (SYN ACK FIN RST)).
A stateful firewall is always more secure than a stateless one.
Mostly for spoofed-packet filtering, but not against every threat: its finite state table can be exhausted by a SYN flood, a DoS that a stateless box shrugs off.
The 5-tuple uniquely identifies an active connection.
True in practice. pins down one flow direction; the firewall stores it plus the TCP phase so both directions map to one remembered conversation.
Stateless filtering is obsolete and should never be used.
False. Its constant-time, memoryless simplicity makes it ideal for high-speed router Access Control Lists (ACLs) and it is immune to state-exhaustion DoS — it has a real niche.
A stateful firewall re-checks the full rulebase for every packet of an established connection.
False. Once ESTABLISHED, packets are matched to the table entry directly — a fast lookup — precisely to avoid re-running the whole ordered ruleset each time.
Deny-by-default means the firewall drops any packet not explicitly allowed.
True. The final catch-all rule is DENY, so a packet that matches no ALLOW rule above it falls through and is dropped — safer than allow-by-default.

Spot the error

"Rule #2 allows inbound ACK=1 to any port, so it is safe."
The error is "safe." Any port >1023 with ACK=1 is allowed, so a forged ACK to a high port slips through; the flag proves nothing about a real conversation existing.
"The return SYN-ACK is inbound, so a deny-by-default stateless firewall must block it."
The error: return traffic is rescued by the ACK trick (or by stateful memory). A SYN-ACK actually has ACK=1, so it matches the inbound-ACK ALLOW rule and gets through.
"Stateful firewalls open no ports for active-mode FTP because they track state."
The error is "open no ports." Active FTP needs a second data connection on a dynamic port; an ALG helper reads the control channel and opens exactly that one port temporarily — it does open one, just precisely.
"A stateless filter can track the TCP handshake through SYN → SYN-ACK → ACK."
The error: tracking a sequence requires memory, which is exactly what stateless lacks. It sees three unrelated packets and judges each by header alone.
"NAT and stateful firewalling are the same thing."
The error is conflation. Network Address Translation (NAT) rewrites addresses/ports and does keep a mapping table, but its purpose is address sharing, not policy enforcement — though both rely on remembered flows.
"Because packets carry ports, port fields live at Layer 3."
The error: ports are a Layer 4 (transport) field. IPs are Layer 3; see OSI Model — Layers 3 and 4 — a filter reading ports is inspecting L4.
"A firewall with a huge port range permanently open is equivalent to a stateful one for FTP."
The error: a permanent wide range is a standing hole an attacker can hit anytime, whereas the stateful ALG opens one port for one connection and closes it — far smaller attack surface.

Why questions

Why does the very first packet of a new TCP connection have ACK=0?
Because there is nothing to acknowledge yet — the SYN opens the conversation, so no prior sequence number exists to confirm (see TCP Three-Way Handshake).
Why can a stateless filter be immune to state-exhaustion DoS?
It stores nothing per connection, so there is no table to fill; each SYN is judged and forgotten, costing constant memory regardless of flood size.
Why does a stateful firewall drop the attacker's spoofed ACK but a stateless one allows it?
The stateful box looks up the packet's 5-tuple, finds no matching approved connection, and drops it; the stateless box has no table to consult and trusts the ACK flag alone.
Why is the return rule so much simpler on a stateful firewall?
Because — the remembered connection is the rule, replacing fragile flag-based inbound rules with a direct membership check.
Why does removing the state entry on FIN/RST matter for security?
Once the connection closes, its 5-tuple should no longer be trusted; keeping the entry would let a late spoofed packet reuse a closed flow's "permission."
Why is packet filtering the cheapest place to enforce policy?
It reads only header fields and decides before the payload reaches any application, so bad traffic is dropped early without spending application-layer CPU.

Edge cases

What happens to a packet whose 5-tuple matches an entry that just timed out?
It is treated as unsolicited — the entry is gone, so a stateful firewall re-evaluates it against explicit rules and (deny-by-default) drops it unless a rule allows it.
A UDP "connection" has no SYN/ACK — how does a stateful firewall track it?
It creates a pseudo-state entry on the first outbound UDP packet (5-tuple) and allows return packets matching it for a short timeout, since UDP gives no explicit close.
An outbound SYN is allowed and a state entry created, but no SYN-ACK ever returns — what happens?
The half-open entry sits in SYN_SENT until a timeout expires and is then removed; mass-producing such half-opens is exactly the SYN-flood exhaustion attack.
A packet arrives with both SYN and ACK set but matches no table entry — allow or drop?
A stateful firewall drops it: a lone SYN-ACK with no prior outbound SYN belongs to no approved connection (this is a classic scan/spoof probe).
If two internal hosts pick the same source port to the same server, do their flows collide in the table?
No — the 5-tuple includes distinct source IPs, so the tuples differ and each gets its own entry; that is why all five fields are needed.
What does a firewall do with an ICMP echo-reply when no echo-request went out?
A stateful firewall finds no matching request state and drops it as unsolicited; a naive stateless "allow all ICMP" rule would let it through, aiding reconnaissance.

Recall One-line self-test before you leave

Cover the answers: can you say why the ACK trick leaks, why stateful is DoS-vulnerable, and why the first packet always needs an explicit rule? If yes, you own this topic.