Stateful Firewall

A) OUTBOUND TCP FLOW (ALLOWED) — state created, replies permitted
┌────────┐        ┌──────────────────────────────┐        ┌────────────┐
│ Client │  SYN   │      STATEFUL FIREWALL       │  SYN/ACK│  Server    │
│ 10.0.0.5:51514 ─────────▶ [POLICY] OUTBOUND OK ─────────▶│ 8.8.8.8:443│
│ (LAN)  │        │ [STATE TABLE]+= (C→S: SYN)   │        │  (WAN/DMZ) │
└────────┘        │ [NAT] 10.0.0.5:51514→1.2.3.4:51514    └────────────┘
   ▲              │                                      ▲
   │ ACK/PSH ◀───└─ ALLOW (matches established state) ──┘  HTTP(S) data
   │
   └─ Legend: FW inspects first packet, creates state entry:
      (proto: TCP, src/dst IP:port, TCP flags, timeout). Return traffic
      is permitted only if it matches an ESTABLISHED/RELATED flow.

B) UNSOLICITED INBOUND TCP (BLOCKED) — no state entry, so dropped

┌────────┐        ┌──────────────────────────────┐        ┌────────────┐
│  LAN   │        │      STATEFUL FIREWALL       │  SYN   │  Bad Host  │
│  Host  │✕──────│ [STATE LOOKUP] → MISS        │◀────── │ 6.6.6.6:444│
└────────┘  DROP  │ [POLICY] INBOUND DENY        │        └────────────┘
                  │ [ACTION] DROP (no state)     │
                  └──────────────────────────────┘

Note: Because no session exists in the firewall’s state table, the inbound
SYN from the bad host is denied and never reaches the LAN host.

C) UDP “PSEUDO-STATE” (ALLOWED OUT, TIMED RETURN ONLY)
┌────────┐         ┌──────────────────────────────┐         ┌────────────┐
│ Client │  UDP    │      STATEFUL FIREWALL       │  UDP    │  Server    │
│ 10.0.0.5:53520 ─────────▶ [POLICY] OUTBOUND OK  ─────────▶│ 9.9.9.9:53 │
│  (LAN) │  query  │ [STATE TABLE]+= (C↔S tuple, timeout T) │   (DNS)    │
└────────┘         └──────────────────────────────┘         └────────────┘
        ▲                     ▲
        │  UDP reply allowed  │ state entry times out after T seconds
        └────────◀────────────┘ (no flags in UDP; FW relies on timers)

D) STATE TABLE (conceptual)
┌─────────────────────────────────────────────────────────────────────────┐
│ PROTO │ SRC IP:PORT      │ DST IP:PORT      │ STATE        │ EXPIRES   │
├───────┼──────────────────┼──────────────────┼──────────────┼───────────┤
│ TCP   │10.0.0.5:51514    │8.8.8.8:443       │ESTABLISHED   │ 04:59     │
│ UDP   │10.0.0.5:53520    │9.9.9.9:53        │ASSOCIATED    │ 00:25     │
└─────────────────────────────────────────────────────────────────────────┘

E) ZONES & POLICY SUMMARY (left→right traffic direction)
LAN (trusted) ──▶ FW ──▶ WAN/DMZ
- Outbound: ALLOW if policy permits; create/update state; allow matching replies
- Inbound: DENY unless explicit rule; must match existing state or service ACL
- RELATED: ICMP errors, FTP data channels, etc., allowed if tied to an existing state
- NAT: (optional) translates internal addresses; state tracks pre/post-NAT tuples