Firewalls: Stateless, Stateful & WAF

A firewall controls traffic flow between networks or hosts based on rules.

It is the checkpoint that decides which packets pass. There are four kinds worth knowing.

Stateless

A stateless firewall checks each packet on its own, with no memory of what came before. It permits or denies based on Layer 3 / Layer 4 details: IP address, port, protocol.

ALLOW TCP 80 from 10.0.0.0/24 to 10.0.1.10

Example use: an admin blocks port 25 (SMTP) from a specific workstation to stop it blasting out email viruses. Simple and fast, but it cannot tell a legitimate reply from an unsolicited packet, because it remembers nothing.

Stateful

A stateful firewall keeps a session table (IP addresses, ports, TCP state) and tracks the TCP handshake. Because it remembers connections, it can allow return traffic for sessions you started and block everything else. It decides based on Layers 3, 4, and 5.

Example: a FortiGate next-generation firewall (NGFW).

Application (WAF)

An application firewall understands the application layer. A WAF (Web Application Firewall) protects web apps specifically, it can read HTTP and block things like SQL injection or XSS payloads that a packet-level firewall would wave straight through.

Host-based

A host-based firewall is firewall software running on an individual machine (your laptop's built-in firewall), protecting just that host rather than a whole network.

Putting it together

Stateless   → judges each packet, no memory          (fast, blunt)
Stateful    → tracks connections via a session table  (smarter)
Application → understands HTTP, blocks web attacks     (WAF)
Host-based  → runs on one machine                      (last line)

Real networks layer these: a stateful firewall at the edge, a WAF in front of the web app, and host firewalls on the servers. Defense in depth.