


allow tcp from any to any 80 out setup keep-stateĪ stateless firewall doesn't track connections. Or, what is done with ipfw, allow an outgoing connection on port 80, and any packets associated with that connection can go in or out. A rule in iptables to allow in packets from established connections -A INPUT -m conntrack -ctstate ESTABLISHED -j ACCEPT from the iptables article "Towards a perfect ruleset" The packets going out are to make a new connection or are part of an existing connection, or rather, everything can go out, not deny rule. (this is common with iptables) So the only packets that come in, are ones that are part of an already established connection. So no difference there whether stateful or stateless.īut if you want to browse the web, then if it was a stateful firewall, you can say Allow all packets out on port 80, and allow ESTABLISHED ones in or out. You allow in all packets, and allow out all packets, and you might restrict some IPs. If you run a server and want the firewall to let packets through for that server, then it's fine for allowing packets to the server. allow all packets in on this port from this/these IPs. If it's stateless, it means you can't specify to allow in established connections, or to allow in/out new connections. It just looks at IP,PORT, whether the packet is going in or out (direction of the packet). It knows if a packet is part of an existing connection. It knows if a packet is going out to make a new connection. Stateful means it tracks connections, looks at the 3 way handshake, the SYN, the ACK e.t.c.
