On Wed, Nov 14, 2007 at 02:58:37PM +1100, Kelly Robinson wrote:
> Some firewalls, after receiving a packet, generate a new packet and populate
> it with data from the original, rather than forwarding the same packet that
> was received. What are the advantages and disadvantages of this approach?
> And does anyone have any examples of any firewalls that do this on the
> market?

I guess all proxying fireawalls like the original fwtk do this.


Your firewall is more trusted not to do funky stuff
that might upset internal servers.

Directly concomitant disadvantage:

The packet may not be an entirely faithful
version of the original (besides the obvious
source addr/port)

firewall-wizards mailing list