On Mon, 2004-08-09 at 12:48, Mike O wrote: > John, > > Would you mind elaborating on your comment about Netfilter's stateful engine > being weaker than Checkpoint's? and how would the window tracking patch make > it more secure. We have checkpoint here and have ran into problems, where > checkpoint has limited us in the way we do things here and I have always > wanted to implement netfilter but couldn't because it's open source. <snip> Sure, although it may reflect more of my ignorance than my sagacity :-) >From what I understand, the out of the box netfilter connection tracking sets timers for the dataflow and matches source and destination information and, for TCP, session states. It does not match the acknowledgment and sequence numbers for TCP packets unless one adds the window tracking patch. Someone please correct me if I am wrong. I cannot say so authoritatively but I believe out of the box Checkpoint does match ACK and SEQ - John -- John A. Sullivan III Open Source Development Corporation Financially sustainable open source development http://www.opensourcedevelopmentcorp.com
