>It is a misrepresentation to say that state-based filtering mechanisms
>provide security anywhere near the superior security offered by proxy-based
>firewalls. My biggest beef with 'state-based firewalls' is that a
>state-based filter cannot rewrite packets, it passes packets through,
>leaving the internal network exposed to various packet attacks. A
>state-based filter also does not have the application code to intelligently
>filter application commands.
Now there's an appropriatly named paragraph :)
Now, do you mean "can't" or "don't" ? Naturally, a SPF *can* do anything
that a proxy could. It has the whole packet, it can do whatever it wants
to with it. It can re-write the whole packet, and can have any application
code desired to filter anything.
If you meant to state that the current SPF implementations don't filter
much, that is a bit more correct.