Firewalls provide traffic filtering and protects the trusted environment for the untrusted. A firewall can be stateful or stateless
A stateful firewall is capable of tracking connection states, it is better equipped to allow or deny traffic based on such knowledge. A TCP connection for example goes through the handshake (SYN-SYN+ACK-SYN), to EASTABLISHED state, and finally is CLOSED. A stateful firewall can detect these states. If a packet belongs to an already running flow it can be allowed, while a new connection form the untrusted host can be dropped.
Let’s take a scenario to understand this better
A client sitting behind firewall connects to a web server www.example.com. and receives a reply.
Let’s see what configuration of the stateful and stateless firewall are needed to make this communication work.
Stateful Firewall configuration:
# Generic rule to allow clients to connect to any # webserver on the internet Allow traffic going out to port 80 Allow traffic related to connections initiated by any internal client back to the same client Deny any other traffic coming in to the client
Stateless Firewall configuration:
Allow traffic going out to port 80 on www.example.com Allow traffic coming from host www.example.com and port 80 Deny any other traffic coming in to the client
From the above it is clear that the stateful firewall will allow incoming traffic only if it is related to connections the client has started. Also, note that this makes it possible to write generic rules for a stateful firewall.
Stateless firewall on the other hand does not have any knowledge of what connections the client has initiated, instead it depends purely on the attributes of the packet like source, destination address etc. to make the allow or deny decision.
Why do we need stateless Firewalls?
Stateful firewall needs to track each of the connection that passes though the firewall. It needs to maintain the state of all the active connection. New connections are actively added and expired connection are purged from the connection state maintained by the firewall. This requires a lot of resources (memory, cpu) on the firewall and as such is a costly.
Another consideration is load balancing traffic on multiple firewalls. In case of stateful firewall the connection state must be synchronized across multiple firewalls to provide a consistent view of active connections.
A stateless firewall on the other hand deals with a single packet at a time. Thus, the resources needed by such a filtering process is much less.
When to use Stateless firewall?
A stateless firewall can be a faster and less resource intensive alternative in the following cases
- Server side firewall: If you are running a purely server application with well-known ports on a machine. In this case firewall can be explicitly programmed to allow connection to and from the server port. As the server ports are well known to the firewall and the server expects new connection anyway, stateless firewalls can handle this use case.
- Client side firewall: A client program which strictly connect to a small set of trusted hosts (internal) can be protected using stateless firewalls with specific rules.
A stateful firewall on the other hand can be used to protect client applications which connect to a large number of untrusted hosts (webservers on internet, peer-to-peer traffic). The connection tracker on the stateful firewall will only allow incoming packets which are related to communications started by the internal clients. All new traffic trying to reach the client application will be dropped by the stateful firewall.