Internet Connection Firewall is a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and examines the source and the destination address of each message that the firewall handles. To prevent unsolicited traffic from the public side of the connection from entering the private side, Internet Connection Firewall keeps a table of all the communications that have originated from the computer that is running Internet Connection Firewall.

For a single computer, Internet Connection Firewall tracks traffic that originates from the computer. If you use Internet Connection Firewall in conjunction with Internet Connection Sharing, Internet Connection Firewall tracks all the traffic that originates from the computer that is running Internet Connection Firewall and Internet Connection Sharing, and tracks all the traffic that originates from private network computers. This can be an issue for e-mail programs.

Internet Connection Firewall compares all inbound traffic from the Internet to the entries in the table. Inbound Internet traffic is permitted to reach the computers in your network only if there is a matching entry in the table that shows that the communication exchange began in your computer or private network.
Communications that originate from a source outside the computer that is running Internet Connection Firewall, such as from the Internet, are dropped by the firewall unless you create an entry on the Services tab to permit passage.

Instead of sending you notifications about activity, Internet Connection Firewall silently discards unsolicited communications. This stops common hacking attempts such as port scanning. Such notifications might be sent frequently enough to become a distraction. Instead, Internet Connection Firewall can create a security log so that you can view the activity that is tracked by the firewall.

You can configure services so that unsolicited traffic from the Internet is forwarded by the computer that is running Internet Connection Firewall to the private network. For example, if you are hosting an HTTP Web server service, and you turned on the HTTP service on your computer, unsolicited HTTP traffic is forwarded by the computer that is running Internet Connection Firewall to the HTTP Web server.
Internet Connection Firewall requires operational information (known as a service definition) to permit the unsolicited Internet traffic to be forwarded to the Web server on your private network.