Stateless vs Stateful Firewalls[edit | edit source]
- Introduction
- Firewalls control how traffic enters or leaves a network.
- They inspect packets and decide to allow or block them based on rules.
- There are two core types of firewalls — stateless and stateful.
- Knowing the difference is key to understanding how filtering works in both simple and complex environments.
| Firewall Type |
Tracks Sessions? |
Decision Based On |
Memory Use |
Common Context
|
| Stateless |
No |
Individual packets only |
Low |
Simple filters, edge defense
|
| Stateful |
Yes |
Entire connection flow |
Moderate–High |
Trusted traffic, session-aware defense
|
| How Stateless Firewalls Work
|
| Description |
Evaluates each packet separately without knowing what came before or after.
|
| What it checks |
IP, port, protocol — matches packet against static rule list.
|
| Memory usage |
Very low. It doesn't keep track of connections.
|
| Speed |
Very fast, ideal for high traffic volumes.
|
| Weakness |
Cannot detect patterns, handshakes, or unusual sequences.
|
- Example
A stateless firewall rule:
DROP all UDP traffic to port 69
Every incoming packet to port 69 will be dropped, even if part of a legitimate conversation.
- Common Use Cases
- Perimeter routers
- DDoS filtering
- High-speed packet filtering without session logic
| How Stateful Firewalls Work
|
| Description |
Monitors full connection state — tracks open sessions and packet flow over time.
|
| What it tracks |
TCP flags (SYN, ACK, FIN), port pairs, and session durations.
|
| Memory usage |
Medium to high, depending on connection count.
|
| Decision-making |
Can dynamically allow responses to approved outgoing connections.
|
| Strength |
Detects abnormal connection behavior, spoofing, and protocol misuse.
|
- Example
A client initiates a TCP request to a web server:
The stateful firewall notes the outbound SYN, and when the SYN-ACK returns, it’s allowed even without an explicit inbound rule.
- Common Use Cases
- Internal corporate firewalls
- VPN gateways
- Systems that need to analyze or log full connection behavior
| Feature |
Stateless Firewall |
Stateful Firewall
|
| Tracks connection state |
No |
Yes
|
| Handles TCP handshakes |
No |
Yes
|
| Allows reverse traffic |
Only if rule exists |
Yes, if part of valid connection
|
| Performance |
Very fast |
Slightly slower
|
| Memory use |
Minimal |
Higher (stores session data)
|
| Rule complexity |
High — every direction must be defined |
Lower — one rule can allow full flow
|
| Resistance to spoofing |
Low |
Higher (context-aware)
|
| Preferred for |
Simple, high-speed environments |
Secure, connection-aware filtering
|
- How they react
- Stateless: Drops packets based solely on rule match — ignores sequence or context.
- Stateful: Allows or denies based on connection history and current state.
- What to look for
- Silent packet drops from stateless firewalls may indicate rule-only filtering.
- Stateful firewalls often allow returning traffic **only** if it saw the outgoing request.
Operational Considerations[edit | edit source]
| Criteria |
Stateless |
Stateful
|
| Suitable for DDoS mitigation |
✔️ |
⚠️ Can be overwhelmed
|
| Connection inspection |
❌ |
✔️
|
| Application awareness |
❌ |
Partial (via session context)
|
| Works well with UDP |
Only with exact rules |
Requires explicit rule or tracking logic
|
| Easier to configure |
❌ (requires precise rules) |
✔️ (tracks flow automatically)
|
- Use stateless firewalls when:
* Simplicity and speed are more important than intelligence.
* Filtering is based on known, fixed patterns (e.g., block all from X IP).
- Use stateful firewalls when:
* You need to follow traffic flows and confirm full handshakes.
* You're securing internal networks or inspecting complex sessions.
See also: TCP/IP Stack, Packet Filtering, UDP Protocol, ICMP Protocol, Firewall Evasion Techniques