Connection tracking doesn't use flags to determine if a connection was startet from inside or outside - and this is the big advantage over ipchains. If a packet is sent out to initiate a new connection, an entry is being written to the connection table to keep track of the connection and possibly allow the reply froom outside. UDP doesn't use flags, too, and you can keep track of those sessions as well as icmp's.

Actually, there is no such thing as a "UDP session." UDP is connectionless by definition and doesn't have any notion of sessions, in contrast to TCP. There are many application layer protocols that implement sessions and use UDP as their transport method, yes, but it's the applications that are session-aware, not the transport layer process. The same applies to ICMP. Stateful filters assume that UDP is used in session fashion by allowing return traffic that matches the inverse socket pair of an allowed packet. However, they are much more susceptible to e.g. IP spoofing attacks, as there is no sequence and acknowledgement number information in UDP to check (not that they are checked in stateful TCP filters either, but they could..). There also doesn't exist any form of connection teardown, since no connection is ever established, so UDP entries to the connection table can only be removed by having them time out (unless you boldly assume that a fixed number of response packets will be received for every 'request'). The ability to grant more security in handling UDP is one of the main advantages of stateful filters compared to basic packet filters. You need to be aware of the fact that their operation is based on assumptions that are not generally true. This shouldn't mean too much of a problem for the most commonly used application layer protocols, but those are only around a handful in number. More obscure protocols or those with TCP/IP information embedded in the data are inherently more difficult to support with statefuls. Just thought I'd throw in a couple of remarks, so people won't blindly think that stateless filters are crap and statefuls are great. The world isn't that simple. Cheers, Tobias