**Brief explanation of connection tracking**A stateful firewall inspects packet headers and records connection state (e.g., SYN, ESTABLISHED, FIN) in a state table. For TCP it tracks the 5-tuple (src IP, src port, dst IP, dst port, protocol) plus sequence/ack hints and state (SYN_SENT, ESTABLISHED, FIN_WAIT). Packets matching an existing entry are allowed according to that entry’s policy without re-evaluating full ACL logic.**Conceptual rule set (not vendor-specific)**text
1. allow from internal_net any to any tcp established
2. allow from internal_net any to any tcp syn # allow outbound connection attempts
3. allow from internal_net any to any udp # allow outbound UDP
4. allow from any any to internal_net related,established # implicit by state table
5. deny from any any to internal_net # block unsolicited inbound
6. allow from internal_net any to any icmp # optional outbound ICMP
7. deny any any any # default deny
**How the state table affects traffic**- When an internal host sends TCP SYN outbound, the firewall creates a state entry (SYN_SENT). The explicit outbound rule permits the SYN and the state entry allows subsequent SYN-ACK and ACK packets from the remote host because they match the existing 5-tuple and state transitions (becoming ESTABLISHED).- An unsolicited inbound SYN from the internet has no matching state entry, so rule 5/7 blocks it.- State entries expire after inactivity or proper teardown; improper TCP teardowns may rely on timeouts.- Stateful inspection reduces rule complexity and prevents spoofed/unsolicited inbound connections while allowing return traffic for legitimate sessions.**Operational notes**- Monitor state table size; heavy NAT or high connection rates can exhaust capacity.- Tune timeouts for long-lived connections (e.g., databases, HTTP keep-alive) and consider conntrack limits and logging for blocked unsolicited attempts.