Does a stateful firewall allow only packets matching known active connections while rejecting others?

A stateful firewall indeed allows only packets that correspond to known active connections while rejecting others. This functionality distinguishes stateful firewalls from stateless firewalls, which inspect each packet in isolation and can either allow or block them without regard to any established connections.

Stateful firewalls keep track of the state of active connections by maintaining a state table, which records details of each session, including source and destination IP addresses, port numbers, and the current state of the connection. This monitoring ensures that only packets associated with valid, established connections can pass through, providing a higher level of security by reducing the risk of unauthorized access.

In contrast, other types of firewalls might not have this capability; for example, a stateless firewall evaluates packets based solely on predefined rules without considering the context of connections, which can lead to less secure configurations. Thus, the statement regarding the functionality of a stateful firewall is accurate.