One issue that happened many years ago was that certain Windows TCP/
IP implementations would allocate the packet in memory and then write
the outgoing data into the allocated space.

The remainder of the packet (MTU - data_length) would contain
whatever garbage was lying around the sending computer's memory
space. Over time, this would leak large portions of memory out the
network port.

A firewall that copied data into a fresh, initialized packet would
avoid this information leak.

I can't see any disadvantages to using this approach. Packets with
improper length and header information would be truncated or dropped
by the firewall, and that's probably a good thing.


On Nov 13, 2007, at 7:58 PM, Kelly Robinson wrote:

> Some firewalls, after receiving a packet, generate a new packet and
> populate it with data from the original, rather than forwarding the
> same packet that was received. What are the advantages and
> disadvantages of this approach? And does anyone have any examples
> of any firewalls that do this on the market?
> Thanks
> - k
> _______________________________________________
> firewall-wizards mailing list

firewall-wizards mailing list