LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is stateful inspection, and how does keeping a connection table solve the problems of pure packet filters?

Stateful inspection = "packet filtering with a memory." The firewall maintains a connection table of every active session (source/dest IP, ports, sequence numbers). Incoming packets are matched against this table — if they're part of an established connection, they pass; if not, they're dropped regardless of flags.

FTP passive: control to port 21, server returns a dynamic data port, a second data connection is admitted as RELATED.

* FTP passive mode and why stateful firewalls need RELATED tracking. *

TCP session lifecycle in the state table: SYN→SYN_SENT→ESTABLISHED→TIME_WAIT→removed.

* The TCP session lifecycle tracked in the state table. *

The connection table (state table):

| Src IP    | Src Port | Dst IP       | Dst Port | Proto | State        |
| 10.0.0.5  | 54321    | 203.0.113.5  | 443      | TCP   | ESTABLISHED  |
| 10.0.0.5  | 50000    | 203.0.113.5  | 21       | TCP   | ESTABLISHED  |
| 10.0.0.5  | --       | 203.0.113.5  | 20       | TCP   | RELATED (FTP)|

The third entry is interesting: the FW understood the FTP control channel and dynamically opened the data channel. This is deep protocol awareness — only stateful FWs can do this.

What stateful inspection fixes:

Old Problem How stateful FW solves it
TCP ACK without prior SYN Connection table has no matching entry → drop
TCP source port 20 spoofing (FTP data) FW knows real FTP control flow → only opens data channel for legitimate FTP sessions
FTP in general FW reads the FTP control protocol and dynamically allows the data port
Dynamic-port protocols (SIP, RPC, etc.) Same — FW understands the negotiation and opens the right port

Where it operates:

Stateful firewalls inspect traffic up to Layer 4 (TCP) — that's where session state (sequence numbers, flags, connection lifecycle) lives. Above that (Layer 5+/application) is the realm of ALGs.

The session lifecycle:

1. SYN seen      → state = SYN_SENT
2. SYN/ACK seen  → state = ESTABLISHED
3. data flows    → state = ESTABLISHED (timers reset)
4. FIN/RST seen  → state = TIME_WAIT, then removed
5. timeout       → state cleared

If a packet arrives without a matching state entry, it's dropped — regardless of how legitimate the flags look.

The capacity question:

Stateful FWs need RAM to hold the state table. Enterprise-grade FWs handle millions of concurrent connections; SOHO FWs might handle 10s of thousands. State table exhaustion is a known DoS attack vector — flood the FW with half-open connections until it can't track new ones.

Tip: Linux iptables/nftables, Windows Firewall, Cisco ASA, FortiGate, Palo Alto — every modern firewall is stateful. The "stateless packet filter" is now mostly historical or used in specific high-throughput edge cases.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026