Re: Differences between firewall-packages like FW-1 and packetfilter

["Dameon D. Welch-Abernathy" <dwelch () phoneboy com>]

On Tue, May 16, 2000 at 07:13:34AM -0400, Chris Brenton wrote:
 
> > Depending on what mood FireWall-1 is in, you can also have it do stateful
> > inspection of ICMP (as of 4.0).
>
> But its broken. It will not accept proper ICMP errors (for example
> unreachable, TTL expired, etc.) back in unless you deal with it in a
> static fashion. IMHO broken is no better than non-existant.

I like Bill Burns code better in this regard. Pity Check Point didn't use
that code instead.
 
> My point was CP does very little to support their own product.
> Taking Joe DiPietro's white paper area off-line is a good example.

There's an updated link on my page that points to the new "Official"
location for that information. It does not require a password to get
to. It even appears to have more documents on it than the old ~joe had,
at least as near as I can tell.
 
> > I'm trying to broaden my own understanding of it, but I assume the 5 people
> > in the world you are referring to work at Check Point. :-)
>
> You've just kind of made my point. If people like you and Lance don't
> feel fluent with Inspect, what chance does the average admin have of
> leveraging this "feature"?

If there were some decent documentation that was written half-way decently,
lots of people could. 
 
-- PhoneBoy