This is an introductory article on the workings of Stateful and Stateless firewalls.
Table of Contents
Firewalls are network security systems that monitor, track, and control network traffic. When configured on WAN boundaries, firewalls protect against malicious or undesirable traffic. Generally, firewalls apply to inbound, outbound, and local (i.e., destined for the firewall itself) traffic. While most host devices today feature consumer-grade firewall software, IT Admins are responsible for researching and implementing an effective firewall solution on the Enterprise/Broadband network.
With expanded scope, complexity, and importance, the evolution of network firewalls follows layers of the OSI Model in both design and implementation. In the absence of and prior to actually configuring a Network Firewall, a well-designed Network Topology at OSI Layers 1 and 2 reduces risks faced by the network, primarily through physical network access and implementation of VLANs.
Dedicated Firewalls are critical to ensuring a safe, high-performing Network for all hosts. The UniFi Security Gateway sits on the WAN boundaries and by default, features basic firewall rules protecting the UniFi Site.
Stateless vs. Stateful Firewalls
Among the earliest firewalls were Stateless Firewalls, which filter individual packets based generally on information at OSI Layer 2, 3, and 4, such as Source & Destination Addresses.
With improvements in power and cost of Network Hardware, Stateful Firewalls emerged as connection-tracking filters, with consideration for information at OSI Layers 2, 3, 4, as well as Layer 7, for Application-based filtering.
Whether filtering based on simple packet criteria, or advanced tracking requirements, Stateless and Stateful Firewalls are both popularly used today and often overlap in when, where, and how they are deployed.
The USG and EdgeRouter use the more advanced Stateful firewalls and can match on the following traffic states:
newThe incoming packets are from a new connection.
establishedThe incoming packets are associated with an already existing connection.
relatedThe incoming packets are new, but associated with an already existing connection.
invalidThe incoming packets do not match any of the other states.
Due to their design, function, and location on networks, Routers (Gateways) are well-suited to run firewalls. When configuring a Router Firewall, consider the following criteria:
InterfaceThe network interface where the firewall is applied.
DirectionThe traffic direction (ingress, egress or local) in which the firewall is filtering traffic.
TypeWhich traffic types (ports, protocols, source, destination) should be matched on.
ActionWhether to drop, reject or accept traffic.
Firewalls can be applied to multiple interfaces (for example the WAN or LAN interface) and in multiple directions. The traffic directions are ingress (inbound), egress (outbound), or Local (bound for the Firewall Device). Firewall rules can define whether to Drop, Reject, or Accept the matching traffic and can filter on many different traffic types. Some examples are:
- Network Protocol
- Source IP address(es)
- Destination IP address(es)