What is stateful inspection, and how does keeping a connection table solve the problems of pure packet filters?
Stateful inspection = "packet filtering with a memory." The firewall maintains a connection table of every active session (source/dest IP, ports, sequence numbers). Incoming packets are matched against this table — if they're part of an established connection, they pass; if not, they're dropped regardless of flags.
* FTP passive mode and why stateful firewalls need RELATED tracking. *
* The TCP session lifecycle tracked in the state table. *
The connection table (state table):
| Src IP | Src Port | Dst IP | Dst Port | Proto | State |
| 10.0.0.5 | 54321 | 203.0.113.5 | 443 | TCP | ESTABLISHED |
| 10.0.0.5 | 50000 | 203.0.113.5 | 21 | TCP | ESTABLISHED |
| 10.0.0.5 | -- | 203.0.113.5 | 20 | TCP | RELATED (FTP)|
The third entry is interesting: the FW understood the FTP control channel and dynamically opened the data channel. This is deep protocol awareness — only stateful FWs can do this.
What stateful inspection fixes:
| Old Problem | How stateful FW solves it |
|---|---|
| TCP ACK without prior SYN | Connection table has no matching entry → drop |
| TCP source port 20 spoofing (FTP data) | FW knows real FTP control flow → only opens data channel for legitimate FTP sessions |
| FTP in general | FW reads the FTP control protocol and dynamically allows the data port |
| Dynamic-port protocols (SIP, RPC, etc.) | Same — FW understands the negotiation and opens the right port |
Where it operates:
Stateful firewalls inspect traffic up to Layer 4 (TCP) — that's where session state (sequence numbers, flags, connection lifecycle) lives. Above that (Layer 5+/application) is the realm of ALGs.
The session lifecycle:
1. SYN seen → state = SYN_SENT
2. SYN/ACK seen → state = ESTABLISHED
3. data flows → state = ESTABLISHED (timers reset)
4. FIN/RST seen → state = TIME_WAIT, then removed
5. timeout → state cleared
If a packet arrives without a matching state entry, it's dropped — regardless of how legitimate the flags look.
The capacity question:
Stateful FWs need RAM to hold the state table. Enterprise-grade FWs handle millions of concurrent connections; SOHO FWs might handle 10s of thousands. State table exhaustion is a known DoS attack vector — flood the FW with half-open connections until it can't track new ones.
Tip: Linux iptables/nftables, Windows Firewall, Cisco ASA, FortiGate, Palo Alto — every modern firewall is stateful. The "stateless packet filter" is now mostly historical or used in specific high-throughput edge cases.
Go deeper:
Stateful firewall — Wikipedia — explains the state table and how SYN/FIN tracking lets the firewall drop an entry without waiting for a timeout.