Firewalls (Stateless vs Stateful) Explained

ByChirag

A firewall enforces rules about which traffic is allowed in or out. The rules can be as simple as “allow port 443, block everything else” or as complex as “block any HTTP request containing SQL injection patterns from anywhere except this list of countries.” There are several distinct firewall categories — knowing them helps you pick the right one.

Stateless firewall (packet filter)

Examines each packet in isolation. Decides solely based on packet headers — source/destination IP, port, protocol. No memory of previous packets.

Rule: allow tcp dport 22 from 192.168.0.0/16

→ Each incoming SSH packet from 192.168.x.x is allowed
→ Each outgoing reply must also match a rule
→ Doesn't know that two packets are part of the same conversation

Pros

  • Fast — no state to maintain
  • Predictable — each packet decided independently
  • Good for simple rules at high speed

Cons

  • Can’t distinguish reply traffic from new connections
  • You have to allow ephemeral port ranges in both directions for any outbound connection to work
  • Can’t detect connection-level attacks

Stateful firewall (connection tracking)

Tracks the state of every connection. When a packet arrives, the firewall checks: is this part of an existing connection? Is this a valid new connection?

Rule: allow tcp dport 443 from any
      allow established,related

→ First incoming SYN to port 443 is allowed (matches first rule)
→ Server sends SYN-ACK back — allowed because it's part of a tracked connection
→ Subsequent packets in this conversation flow without re-checking rules

Pros

  • Simpler rules — you don’t have to think about return traffic
  • Better security — invalid packets that don’t fit any tracked connection get dropped
  • Can do connection-aware features (concurrent connection limits, idle timeouts)

Cons

  • Memory cost — each connection takes RAM (~150 bytes typical)
  • Failover is harder — backup firewall doesn’t have the connection table
  • Asymmetric routing breaks state tracking

Almost every modern firewall is stateful by default. iptables/nftables on Linux, all commercial firewalls, all home routers.

Application-layer (Layer 7) firewall

Inspects the content of packets, not just headers. Can match on URLs, HTTP headers, SQL queries, file types.

  • Web Application Firewall (WAF) — sits in front of web apps. Blocks SQL injection, XSS, file upload abuse. Cloudflare WAF, AWS WAF, ModSecurity.
  • DPI (Deep Packet Inspection) — looks at packet payloads. Used by enterprise to enforce content policies, by ISPs for traffic shaping.

Next-Generation Firewall (NGFW)

Marketing term for firewalls that combine stateful filtering + Layer 7 inspection + IDS/IPS + sometimes anti-malware. Examples: Palo Alto, Fortinet, Cisco Firepower. Very expensive, very capable.

Linux firewalling

nftables (modern)

sudo nft add table inet myfilter
sudo nft add chain inet myfilter input '{ type filter hook input priority 0; policy drop; }'
sudo nft add rule inet myfilter input ct state established,related accept
sudo nft add rule inet myfilter input iif lo accept
sudo nft add rule inet myfilter input tcp dport ssh accept
sudo nft add rule inet myfilter input tcp dport { http, https } accept

iptables (legacy but still common)

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -P INPUT DROP

ufw (simple wrapper)

sudo ufw allow ssh
sudo ufw allow https
sudo ufw enable

Where firewalls live

  • Edge / perimeter — between your network and the internet
  • Inside the network — between VLANs, between dev and prod
  • Host-based — on each server or laptop (ufw, Windows Firewall)
  • Cloud — security groups (AWS), firewall rules (GCP), NSGs (Azure)

Default deny vs default allow

Best practice: default DROP all incoming, explicitly ALLOW only what you need. This is “default deny.” Reverse — default allow, block known bad — is unworkable because the unknown bad outnumbers the known.

What to learn next

Load balancers — splitting traffic across many servers, at L4 or L7. Up next.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *