In some mail from Ryan Russell, sie said:
> Traditional packet filters can only forward based on information
> in the current packet. SPFs can make forwarding decisions
> based on previous packets. That's why they are called stateful,
> and that's why they are better than a regular packet filter. Now,
> that aside..
That's going a bit far. I wouldn't claim that all such filtering is
"stateful". They simply have tables with details about previous packets
and whether or not to let further ones through based on a comparison of
the two. What I think you intended to say was how Checkpoint have defined
that term to mean.
> Paul, I think you're overstating how different a SPF is from
> an AG, at least in terms of the end result. The mechanism
> for getting the packet through the gateway is different
> between the two, but the end result of the packet format is
> nearly the same. Both will modify the source and destination
> addresses (depending if the packet is going out or in) and
> the sequences numbers, and the port numbers. That leaves very
> little of the headers that aren't changed (I'll cover the exceptions in
> a sec.) If a packet goes through an AG and and SPF,
> what the packet looks like will be roughly the same.
You've pretty much over simplified what they do and don't modify and
managed to get your details, below, quite wrong.
> So, If I look at the flags available in a TCP header, The only ones
> that wouldn't normally get automatically modified by an SPF are
> URG and PSH.
Why would that be ? Packet filters really shouldn't touch those bits...
You really should read up some more on TCP and watch how it works, Stevens
Vol II would be good...
> Windows size would probably stay the same, and
> the checksum obviously gets recalculated. There would also be an
> OOB data pointer if that flag was set. In effect, and AG would
> automatically strip those two bits off (and some won't strip off
> the PSH flag, as it might be needed, as in Telnet) and the
> OOB data if present and not needed, but would otherwise
> be the same and the packet going through the SPF?
Dear me. An AG will set the PSH (Push) bit independant of whether
or not it was set in the packet received.
If the AG has be written to ignore urgent data, then the urgent pointer
and URG (urgent) flag will be cleared - not directly but the result
will be in them being cleared.
Part of the fundamental differences between AG's and packet filters is
that packet filters will forward entire packets, largely unchanged if
there is no need for NAT, whereas the AG destroys the old packets and
sends out new ones (effectively).