Given current application protocol design, we do not believe that it is possible to implement a pure request-response firewall policy. For example, we cannot deploy request-response filters for FTP, rsh, and other protocols that require back-channel connections. UDP-based services, in general, are also not filterable: packet filters do not maintain state information about previous packets, and without that state, the filter cannot ascertain whether a given UDP packet is a response to an outstanding request.
We address these protocol limitations in our currently-deployed firewall by either dropping packets and causing application-level failure or by providing application-level gateways on bastion hosts. We believe that in the medium-term, protocols will have to change to address problems like spoofing and connection hijacking, as well as accommodate IPv6. We therefore examine what additional protocol changes would allow a realistic packet filter to implement a pure request-response policy.