Another important consequence of stateful connection tracking and packet rewriting is that some RFC-mandated responses are generated by the firewall, not the sender. This enables an attacker to discover and probe such a device quite efficiently. When a connection is dropped from the NAT state table (whether due to a time-out or to a termination by one of the endpoints with an RST packet that did not reach the other end), further traffic in this session will not be forwarded to the recipient, as it would with stateless packet filters. It is handled directly by the firewall, instead.

The TCP/IP specification mandates that a recipient reply to all unexpected ACK packets with RST, to inform the sender that ...