Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 14 Nov 2007 22:00:57 -0500
On Nov 13, 2007 10:58 PM, Kelly Robinson <caliana1989 () gmail com> wrote:
Some firewalls, after receiving a packet, generate a new packet and populate it with data from the original, rather than forwarding the same packet that was received. What are the advantages and disadvantages of this approach? And does anyone have any examples of any firewalls that do this on the market?
Your first statement is a bit ambiguous. Are you talking specifically about IP reassembly? Because in a sense, any packet that has undergone NAT translation is a "new" packet because it has changed (albeit just 2-3 fields of the IP header) from the time it arrived to the time it was forwarded on. So the upside to firewalls that do IP reassembly (like iptables, pf, and most of the commercial "stateful firewall" products) as well as proxy firewalls is that they serve to normalize traffic to one degree or another. They reduce the amount of control an external attacker has over the packets that are passed to your network through the firewall. The downside is that this can break crappy protocols (or even normal protocols in the case of a misconfigured firewall). PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls that generate new packets.. Kelly Robinson (Nov 14)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 17)
- Re: Firewalls that generate new packets.. John Adams (Nov 17)
- Re: Firewalls that generate new packets.. Matthew Hannigan (Nov 17)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 17)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 19)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 17)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 17)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 19)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 19)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 23)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 23)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 23)