Stateful filters: example Log each TCP connection initiated through firewall: SYN segment Timeout entries which see no activity for, say, 60 seconds source dest source dest address address ort ort 2222217 379687123 12699 80 199120523 37654 0 2222293.2 2222265.143 203.77.24043 48712 80 If rule table indicates that stateful table must be checked check to see if there is already a connection in stateful table Stateful filters can also remember outgoing UDP segmentsStateful filters: example source address dest address source port dest port 222.22.1.7 37.96.87.123 12699 80 222.22.93.2 199.1.205.23 37654 80 222.22.65.143 203.77.240.43 48712 80 13 If rule table indicates that stateful table must be checked: check to see if there is already a connection in stateful table • Log each TCP connection initiated through firewall: SYN segment • Timeout entries which see no activity for, say, 60 seconds Stateful filters can also remember outgoing UDP segments