How stateful is stateful inspection?

[Lance Spitzner <spitzner () dimension net>]

Recently I've been doing alot of research into how
stateful inspection works, specifically on CP FW-1.
I was hoping some of you FW-1 savay firewall-wizards
could review the whitepaper I posted and give it a sanity
check.

I developed a PERL script that takes the FW connections
table and outputs it into human readable form.  I then 
built a variety of different packets and sent them through
the firewall.  With the PERL script, I was able to see how 
connections were established and maintained in the state 
table.  All results and source code can be found at 
http://www.enteract.com/~lspitz/fwtable.html

I'm hoping to validate (or invalidate) my findings. I
also like to think you might be able to learn something :)

Thanks!

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc