Stateless firewalls restrict or block packets based on source and destination addresses or other static values. They are not 'aware' of data flows. A stateless firewall uses simple rules that do not account for the possibility that a packet might be received by the firewall 'pretending' to be something you asked for. Stateful firewalls can watch traffic streams from end to end. They are are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledge or established), it can tell if the MTU has changed, whether packets have fragmented etc.