Keeping State

Stateful inspection is a technique whereby only the first packet in a connection is passed through the entire ruleset. If a match is found, then an entry in a state table is made to record that fact and subsequent packets in the connection are allowed through without the need to consult the ruleset.

This has a couple of useful advantages. First, we do not have to consider rules for the return path thereby simplifying our ruleset. Second, the performance of the kernel module improves, because it doesn't have to pass each and every packet through the ruleset.

The use of stateful inspection is controlled by the keywords "keep state" at the end of each configuration line (see example rulesets).