Stateless firewalls filter packets in isolation, based on static source and destination information. In contrast, stateful firewalls track the state of network connections and traffic flows and allow or restrict traffic based on whether its connection state is known and authorized. For example, when an initiation flow is allowed in one direction, the responder flow is automatically and implicitly allowed in the return direction.
The firewall always attempts to perform stateful matching, even if there are no sessions or stateful rules. The existence of a stateful rule on an interface means that the implicit behaviors for that interface are filtered. A stateful rule in one direction causes the other direction (in the absence of any rules) to block packets if they do not match a session.
For stateful behavior,
- The system determines if the packet can be matched to an existing session, such as would have been created by a stateful rule.
- For ICMP errors, a check is done to determine whether the embedded packet (which triggered the error) matches an existing session. If no session matches, a rule-based match is attempted.
- If a session created by a stateful firewall rule (accept rule) matches, the packet is allowed to pass.
- If a session created by NAT matches, and the packet is flowing in the backwards direction, it is allowed to pass. The only way to block backward direction NAT packets is to block the forward direction packet with a firewall rule.
- If a session created by an ALG matches (match on a child session such as an FTP data flow), the packet is allowed to pass. The only way to block such ALG child flows is to block the parent flow.
- When a stateful firewall rule is processed and the action is accept, a session is created based on the IP addresses, protocol and ports (for supported protocols that use ports).
To improve efficency of the firewall handling, further packets matching the session will be accepted, without running checks given in the firewall rule.
Apart from the initial packet, the checks associated with the following per-rule configuration are not performed:
- dscp <DSCP-value>
- pcp <PCP-value>
- tcp flags <TCP-flags-to-match>