A firewall state table builds and stores information about active connections that have been permitted by firewall rules. Entries in the table define each connection based on:
- IP addresses for connection.
- Protocol - TCP, UDP, and ICMP protocols.
- Port numbers - Services using numbered ports. Port numbers range from 0–65535.
- Process ID (PID) -Unique identifiers for the host process associated with each connection’s traffic.
- Timestamp - The time of the last incoming or outgoing packet associated with the connection.
- Timeout - The time limit (in seconds) after which the entry is removed from the table if no packet matching the connection is received. The timeout for TCP connections is enforced only when the connection isn't established.
- Direction - The direction (incoming or outgoing) of the traffic that triggered the entry. After a connection is established, bidirectional traffic is allowed even with unidirectional rules, provided the entry matches the connection’s parameters in the state table.
How are firewalls are the same as all other network devices.
Each host connected to each network attached to the firewall is assumed to have been assigned a unique IP address.
Firewall state tables support both IPv4 and IPv6. IPv4 addresses are 32 bits long while IPv6 permits addresses 128 bits long.
When the process ends, all entries in the state table associated with a process are deleted.
How do state tables differ based on the open source project or manufacturer?
If firewall rules change, all active connections are checked against the new rule set. If no matching rule is found, the connection entry is discarded from the state table.
If an network adapter obtains a new IP address, the firewall recognizes the new configuration and drops all state table entries with invalid local IP addresses.
A TCP connection progresses through a series of states during its lifetime. The states are:
- LISTEN (An open port on a host waiting for a connection.),
- SYN-SENT (A host is actively attempting to establish a connection.),
- SYNRECEIVED (The server received a TCP SYN, responded with a SYN/ACK, and is now waiting for the remote host to send an ACK to finally establish the connection),
- ESTABLISHED (There is a connection between a host and the remote IP and port that is able to exchange traffic.),
- FIN-WAIT-1 (The first step of a four-way handshake was performed.),
- FIN-WAIT-2 (Occurs when the server has an active connection with a client and wants to shut down the TCP connection.),
- CLOSE-WAIT (The server has received the first FIN signal from the client and the connection is in the process of being closed.),
- CLOSING (Host is waiting for an acknowledgement for a connection termination request before going to the TIME-WAIT state.),
- LAST-ACK (The local end-point has performed a passive close and has initiated an active close by sending a connection termination request to the remote end-point),
- TIME-WAIT (The local end-point waits for twice the maximum segment lifetime (MSL) to pass before going to CLOSED to be sure that the remote end-point received the acknowledgement.), and
- the fictional state CLOSED.
CLOSED is considered a fictional state because based on the standard (RFC 9040) where it is defined it represents the state when there is no transmission control block (TCB), and a TCB is required to define a connection.
References:
TCP/IP State Transition Diagram (RFC793)