Conditional stateful packet inspection?

Hi,

From what I have understood (I am not an expert at all) stateful packet inspection is the way to go for maximum security. However, it doesn't work for P2P and some other stuff. I may be way off here, but why couldn't stateful packed inspection be a setting in filter rules or even for a given application? Is it either "on" or "off" for this kind of filtering, or could you potentially have a rule that opens for BitTorrent on port 6660-6600 and have stateful packet inspection turned off for this port range in the rule? Or could you have a setting for applications that turns off stateful packet inspection for the application in question?

I may be missing something that is obvious the ones knowing a lot about firewalls and filtering. But I do not really understand why stateful packet inspection is a global setting.

 

Yes, the TCP SPI needs to work globally, considering all ports. By definition it's a global TCP feature.
Even if it would be technically possible to exclude some ports I'm sure you will find such implementation.

It's like the Steath status, this needs to be global, you can't say: I'd like to be stealth except on some ports.

Frederic