“Network firewalls are by far the most common. They can be
implemented on virtually any operating system that has a network
stack. The first network firewalls were (and some still are)
non-stateful – that is, each packet was examined individually, the
firewall having no concept of the packet’s larger identity. For
example, it could be the return packet from a connection
established by an internal client, or it could be a random packet
sent by an attacker.”
“This lack of state means that for outgoing connection to work
for, say, telnet, you would have to allow incoming data from the
telnet port (port 23, TCP). This means that an attacker could
simply make their data packets come from port 23 on their machine,
and they would punch right through your firewall – assuming you did
not differentiate between SYN and ACK packets, of course.”
“For connectionless protocols such as DNS, you have to create
all kinds of rules to allow internal clients to query external
servers and receive an answer. Here again, an attacker could scan
your network with relative ease.”