Date: Wed, 23 Sep 1998 20:38:13 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: spork@super-g.com (spork) Cc: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw Message-ID: <199809231038.DAA27526@hub.freebsd.org> In-Reply-To: <Pine.BSF.4.00.9809221623200.17145-100000@super-g.inch.com> from "spork" at Sep 22, 98 04:27:07 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from spork, sie said: > > Darren, > > I must admit I've been brainwashed by Checkpoint and their "stateful > inspection" rhetoric. > > Could you briefly explain some of the differences between ipfilter's state > mechanism and the checkpoint version? Am I correct in assuming that they > are basically the same at many levels? Similar in idea (at the TCP level) but that's about it. Checkpoint's SPF (they claim) operates at ISO layers 3-7, which I find somewhat bogus whereas IP Filter only works at 3 & 4. The "best" difference I know of is that Checkpoint has a "quick" expirey for connections (they may not follow the TCP FSM at all :/) and as a result, in order to "pickup" connections that have "idled out", let dataless through the firewall (I'm not sure if you can turn off this behaviour) ACK packets and recreate the session if an ACK is returned. IP FIlter, on the other hand, has a large expirey for "established" connections (5 days) and follows the TCP FSM and won't let through ACK's just because they're a stray ACK and might be part of a connection it doesn't know about (of course this can be countered but I'm assuming a "sane" config). An interesting outcome of this is that FW-1 doesn't necessarily know all the "active" connections through it at any given moment. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809231038.DAA27526>