In some mail from Brent Chapman, they said:
> >Do any stateful packet filters examine the content of the packet and
> >have enough of an understanding of the given protocol to reject such
> No, not as far as I know.
Andrew Molitar's paper at Usenix on `their' packet filter described
filtering out the FTP RETR command, for example. (Lef the proceedings
at work, else I'd know the title of the paper).
> >Is it always _possible_ to do so?
> I doubt it.
If you're prepared to reassemble IP packets to do it, as required, yes.
I haven't checked, but is probably not amongst the recommended options
for IP gateways/routers.
If you're worried about performance, if you were using an OS such as
Solaris2 for your firewall, you might want to do what Sun have done with
telnetd/rlogind and have them work as STREAMs modules.