I don't think it is common, but I have seen it done where the cost of receiving traffic for the customer is very high, such as mobile barriers, satellite providers, some less well developed countries, etc. Consider the case that you have are using a mobile carrier and are roaming, and paying $10/Mb of traffic. The kind person who had the dynamic IP address before you was using P2P software, and having a public IP address, was being used to seed a lot of connections. There now gone, but your now paying for all the incoming traffic (which your machine promptly drops since it is not listening for it). So in cases like this you might opt to use an APN that is firewalled, so you don't pay to receive traffic you have no interest in. There are also content transformation devices, which do things like downsize images inline that are in web pages before you receive them. Once again, to save the customer money paying for expensive bandwidth. Lots of state involved there. There are some large scale DDOS boxes, but they don't tend to be firewalls per-see (in that you don't create access rules and the like for them). Other statefull inline devices I can think of are traffic shapers and inline transparent proxy servers. If you divert your attention away from service providers to large enterprises, then I think you'll find some statefull firewalls handling volumes of traffic probably bigger than the largest service provider in NZ. I don't know what people like Microsoft and Google use, but chances are they have statefull firewalls doing tens of Gigabit's of throughput. -----Original Message----- "It is not uncommon to see transparent but stateful firewalls in ISPs (without NATs) today - to avoid DoS attacks. These firewalls do a job similar to SPNATs. What is the state maintenance and processing overhead in these firewall deployments? Can we reuse any lessons from them?"