A rule that includes stateful packet inspection (SPI, also referred to as dynamic packet filtering)
can react to the connection state. Filtering decisions are based not only on user-defined rules (as in static packet filtering)
but also on the context established by prior packets that were passed through the firewall.
Stateful inspection helps protect against hacker techniques such as IP spoofing and port scanning by ensuring that
only requested information is allowed back in through the firewall. It enables the tracking of outgoing packets that
request specific types of incoming packets and allows only those incoming packets that constitute a proper response.
Specifically, if you create a simple system rule for some TCP data activity, it will control traffic in the
specified direction between the ports opened on the given servers. If you enable stateful inspection for this rule,
once this rule is triggered, i.e. the connection is established according to this rule, then all consequent TCP traffic
between the given hosts (irrespective of ports and direction) will be either allowed or blocked (according to the specified setting).
The same situation applies to application rules. After an application connects to a remote server, all application
data interchange with that server will be either allowed or blocked (according to the specified setting).
For example, FTP always requires a return connection, which can be automatically allowed by specifying
stateful inspection in its rule.
If you create a simple system rule for some UDP data activity, it will control packets in the specified direction.
If you enable stateful inspection for this rule, once this rule is triggered, i.e. the packet has been sent
according to this rule (a so called 'pseudo connection' has been established), then all consequent UDP traffic between the
given ports opened on the hosts will be either allowed or blocked in both directions (according to the specified setting).
The same applies to application rules. After an application connects to a remote server, all data between the local and
remote ports opened by the application will be either allowed or blocked (according to the specified setting).
Creating an SPI rule is more secure than specifying the host as Trusted. SPI allows you to keep ports closed
until connections to them are requested. If the host is Trusted, all connections with it are allowed by default.
Important: It is not recommended that you enable stateful inspection for rules that control incoming
traffic generally, since this would simply allow all traffic to come in along with its outgoing replies.
Note: Make sure there is no rule with a higher priority that covers your SPI-rule activity.
Otherwise, your new rule will be ignored and stateful inspection will not be activated.
