Is a stateful firewall safe?

What is a stateful firewall in McAfee?

This means that the firewall can be configured to not accept any traffic until the process (or processes) specified is ready. Once it's ready, the firewall accepts all of the traffic for a limited period of time.

The firewall is only stateful when it's accepting traffic. When the firewall is passive, it will only block incoming connections if there are no open connections to accept.

See the screenshot below. A stateful firewall (as defined in the documentation) is one that maintains a connection table in memory. This allows it to determine whether incoming packets should be accepted based on the states of existing connections.

To be specific, a stateful firewall will check a packet against all connections to see if they match. If there is a match, the firewall will accept the packet, and it will mark the connection as "open."
If there is no match, the firewall will drop the packet. That's it. That's the difference between stateful and non-stateful firewalls.

How to stop a stateful firewall?

I have a requirement to stop the stateful firewall on a server and I'm not sure how to do this. I tried to look at the documentation but it's a bit confusing. Here's the scenario.

I have an application that allows users to create accounts. The user logs in to the application, and the login server creates an account on the database. Then the application needs to be able to access the database.

However, the user is already logged in when the application starts. I want to be able to access the database after the user has already logged in.

I can do this using a stateful firewall. The application sends a request to the firewall to start the session. Then the firewall creates the connection to the database and opens it for the user to access the database. When the user is done accessing the database, the firewall closes the connection.

But how do I stop the stateful firewall? If the user logs out of the application, I want the firewall to close the connection to the database. How do I achieve this? You could use a stateless firewall in this scenario. It does not store any state per connection. So, when the user logs in, you would start a new connection. If the user logs out, you would end the connection. You cannot use stateful firewalls in this case because they require state to store the connection.

Or, you could use a connection-oriented stateful firewall. If you do not use it for connection tracking, it will not store any state information about the connections. So, when the user logs in, the firewall creates a new connection for you. When the user logs out, the firewall closes the connection.

There is no way to "stop" a stateful firewall, if you are talking about that type of firewall. A stateful firewall stores state information for each connection it opens. The only thing you can do is close the connection, or close the stateful firewall.

Is a stateful firewall safe?

I'm pretty new to the firewall game, and I really want to make my firewall stateful.

A stateful firewall seems like a good way to make sure that incoming connection can't change or be routed to any other place than where they are headed. There are a few reasons I think it's a good idea. First, it saves on server resources since state is saved for longer periods of time (like when a packet goes through a firewall). Second, my understanding of a stateful firewall is that incoming connections get stored in a buffer (like how a proxy buffer stores some connections), and then the buffer is discarded after a set time to make room for more incoming connections (like how proxies discard cached connections). If this is true, then it seems like saving server resources is an easy argument for saving on server resources, and discarding older packets would also let me have better quality because the incoming connections wouldn't be so crowded. Am I missing something?

You have most likely heard about IP address learning (IPv4 or IPv6), where the routing table entries (in particular) contain the previous destination(s) of the outgoing packets. Thus, a stateful firewall can learn which IP address(es) a client or server on your local network has assigned to itself and thus prevent you from connecting an attacker's computer. This is of course only if you decide to keep track of that information within the firewall itself. In practice, most firewalls will not learn anything - they will simply drop the packet as soon as a valid route to the destination is found, and do not add the original source or destination IP address anywhere.

What is meant by stateful firewall?

How many states can the firewall have?

Can it be configured?

If you think of a firewall as a program that inspects packets at the wire (or more specifically, examines the IP headers on packets) and then makes a decision about whether or not to allow the packet to pass, then the firewall is stateful. If you think of a firewall as a program that inspects packets at the wire (or more specifically, examines the IP headers on packets) and then allows the packet to pass, without modifying the state of the packet in any way (not allowing the packet to be resent, for example), then the firewall is stateless. The difference is whether or not the firewall is able to examine all packets and make a decision on each packet individually, based on its own rules. Stateless firewalls can't do this. Stateful firewalls can.