With Stateful Packet Inspection (SPI), every time a packet is sent out of the
computer, the firewall keeps track of it. When a packet comes back to the
firewall, the firewall can tell whether or not the in-bound packet is a reply to
the packet that was sent out.
This way, the firewall can handle most network traffic safely without a
complex configuration of firewall rules.
What does "Stateful" mean?
"Stateful" basically means "remembers things that came
before." Something that is "stateful" knows about the current
"state" of things -- what's going on at that moment, and what went on
A "stateful" firewall knows not only about the packet it's looking
at, but also about packets that came before that one.
Why is that useful in a firewall?
Imagine that you had no memory. At any moment, all you knew about was that
moment, and you had to figure everything out just from what you could see. This
is how old firewalls worked -- they knew only about the current packet they were
looking at. They couldn't "remember" packets they had seen before.
Firewalls are designed to control network connections to your
computer. The problem is that a "connection" is different than a
"packet." A packet is just a single piece of information, but a
"connection" is a whole stream of packets. How does one tell if a
packet is part of a connection, if you can't remember the packets that came
So, modern firewalls keep track of packets, and "know" if they're
part of a connection or not.
How does this work in WinRoute Firewall?
Let's pretend we have a guy named John, and his computer is connected to a
Firewall (WinRoute Firewall, in particular).
- John points his web browser at a web page, like www.yahoo.com.
- The web browser sends a packet to www.yahoo.com, saying "I'm going to
talk to you."
- The packet goes through WinRoute Firewall.
- WinRoute Firewall notes, "John is sending a packet to www.yahoo.com."
- WinRoute Firewall sends the packet on to www.yahoo.com.
- www.yahoo.com sends a packet back to John, saying "Okay, you can talk
- The packet from www.yahoo.com gets to John's WinRoute Firewall.
- WinRoute Firewall looks at the packet, and thinks, "Should I let this
- WinRoute Firewall notes, "The packet is from www.yahoo.com."
- WinRoute Firewall checks to see if John recently sent out a packet to
- WinRoute Firewall discovers that yes, John sent a packet to
www.yahoo.com, so this must be a reply.
- WinRoute Firewall forwards the packet on to John's computer.
Of course, this all happens at blinding speed. On the average modern
computer, WinRoute Firewall can handle millions of packets like this every
Where's the "inspection" in all of that?
WinRoute Firewall has to "inspect" each packet to see where it came
from, or where it's going to.