Stateful firewall utilizes traffic that is using the Transport Control Protocol (TCP). TCP is stateful to begin with. TCP keeps track of its connections through the use of source and destination address, port number and IP flags.
All packets with "SYN" in their header received by the firewall are interpreted to open new connections. Firewall drops all packets which don't have "SYN " in their header.
If the service requested by the client is available on the server, it will respond with a "SYN-ACK" packet which the firewall will also track.
Once the firewall receives the client's "ACK" response, it transfers the connection to the "ESTABLISHED" state as the connection has been authenticated bidirectionally. This allows tracking of future packets through the established connection.
TCP keeps track of its connections through the use of source and destination address, port number and IP flags.
Hence all 3 options are used by a firewall to decide whether to forward or drop packets .
Reference:
- https://en.wikipedia.org/wiki/Stateful_firewall#Description
- https://www.pluralsight.com/blog/it-ops/stateful-firewall-fundamentals