A stateful or state firewall also begins with an ACL, but adds something else: a state table, which is a log of the state of various transmissions.  If a packet (inbound or outbound) matches the rules, an entry is added to the state table.  For example, the firewall receives an initial packet from internal address 10.1.2.3, destined for external address 161.150.129.166, over port 80.  It notes these parameters so that when a packet is received from 161.150.129.166, and addressed to 10.1.2.3 over port 80, the firewall is not “surprised.”  Additional packets that are part of this conversation are then allowed.  

Next time: Proxy firewalls