I was playing around with this before I ditched SP2... uninstalled it 'successfully'.. though upon rebooting all my apps were "not responding" so I had to format but that's another story. Anyhow, time to get on topic.

I noticed that the SPI firewall isn't really so 'Stateful'. I made a list of a few "exceptions" as they're called.... being programs that are allowed to recieve inbound traffic on their listening ports. One of these "allowed" apps was the newest version of Yahoo! Messenger [ver. 6.0 Build 1671]. Anyhow, I specified this particular program as an exception and then changed it's "scope..." to only allow ip's and subnets that I CHOSE to to communicate with the program on my end. So, basically, I restricted the access to the program from the outside WAN to only allow the ip's that were required to connect to the service (the msg servers) and a few other ip's that were required to retrieve roomlisting info from the Yahoo! webservers and such.

When this program is launched, it opens a socket and listens on TCP :5101 by default which is the application's P2P port for PM's -- allowing for potential 'direct connections' only to the people contained on your buddy list. This port was listening, and the rules were applied that nobody but those certain ip's could communicate to me through Messenger. I had a friend that was on my buddylist pm me to test whether or not his ip (being a class A 24.* ip) would be stopped from making a direct connection to me on :5101. As his ip wasn't on the allow list I figured that it would be rejected or I would be prompted that his ip address was trying to make a direct connection to me on TCP :5101.

Conclusion: It didn't happen and the connection was allowed through, regardless of my "scope..." settings. If this firewall was truly 'stateful' it wouldn't have allowed a full 3-way handshake to be performed with a machine that WASN'T on the allow-list for accepting inbound traffic (let alone full connections) regardless of the application's listening socket for the application. The problem here is the application is 'trusted' so much as an "exception" that it appears that no further stateful inspection is done (if so very little) once the exception status is granted for the app. Too bad I didn't file-a-bug on this one. It's a pretty big one. I guess if I cared enough to have them fix it I would have but I won't ever be using it again. Anybody hoping to rely on this for future security... I wouldn't hold your breath.