Documentation
Miscellaneous
Firewalls: stateful vs. stateless

Firewalls: stateful vs. stateless

This post summarizes the differences between stateful and stateless firewalls.

Stateful filtering

It tracks the state of the network connections and makes decisions (allow/deny) based on the context of those connections.

This is done by maintaining this state information in a state table. The firewall can allow inbound traffic that is part of an outbound connection initiated from within the network. This “allow rule” does not have to be explicitly configured in the firewall to permit traffic from the destination back to the source. That’s why they’re called “context-aware”, because this type is designed to understand the context of the connection, where it’s coming from, where it’s going to, and who generated the connection.

Imagine your application sending a request, and when the destination sends the response back, the firewall would review the state-table and just goes: “Oh, I’ve got this! It’s coming from a destination that a client from my network initiated the connection with. No need to have the destination IP in the allow-list; we’re all good to go!”.

The state table

The state table contains information such as:

  • Source’s IP address and port
  • Destination’s IP address and port
  • Connection status (e.g. established, new, related, or invalid).

Example state table from a pfSense firewall. The redacted part is the gateway’s public IPv4. It also provides a glimpse of a NAT process:

pfSense_State_Table

The firewall will continue blocking incoming traffic that was not generated from an internal resource (i.e. violates the state table rules). Security Groups on major cloud providers typically operate in a stateful manner.

Advantages of Stateful Filtering

  • It’s simple: No need to add an allow rule for the destination address if the connection originated from a client within the network.

Stateless Filtering

Stateless filtering, examines individual packets without considering the context or state of the connection to which they belong. It evaluates each packet (in-bound and out-bound) individually based on predetermined rules or criteria (allow/deny), such as source and destination IP addresses, ports, and protocols.

Think of it like the customs kiosks at an international airport terminal. They check arrivals and departures of travelers separately. The passengers’ origin does not generally impact their allow or deny to enter/leave decision. All they know is whether a passenger is permitted to enter or leave the country based on predefined rules.

Similarly, stateless firewalls evaluate each packet’s headers, examine source and destination IP, ports, and protocol type. If a packet matches one of the preconfigured rules, it is allowed or denied based on that rule’s criteria.

In AWS, Network Access List (NACLs) operate in a stateless manner.

Advantages of Stateless Filtering

  • Granular access control based on port, IP, protocol, egress or ingress connections.
  • Block certain hosts/destinations.

Scope of implementation

The fundamental concepts of stateful and stateless firewalls are consistent across firewall appliance manufacturers as well as cloud providers. However, the implementation of stateless and stateful firewall functionality (i.e. how they do it) can vary.

For example, in AWS, stateful firewall functionality is implemented using Security Groups, which operate at the instance level. And stateless firewall functionality can be achieved through Network ACLs (Access Control Lists - NACLs), which operate at the subnet level.

NAT process simplified