Stateless firewalls do not keep track of connections, as they only follow simple configured rules to allow or deny traffic. A single request to the firewalled server requires two rules (one to allow inbound request to, say, a web server port, and another one to allow outbound response). This means the firewall usually have to allow all ephemeral ports (1024-65535), since they are randomly selected for every server response.