On Nov 13, 2007 10:58 PM, Kelly Robinson wrote:
> Some firewalls, after receiving a packet, generate a new packet and populate
> it with data from the original, rather than forwarding the same packet that
> was received. What are the advantages and disadvantages of this approach?
> And does anyone have any examples of any firewalls that do this on the
> market?

Your first statement is a bit ambiguous. Are you talking specifically
about IP reassembly? Because in a sense, any packet that has
undergone NAT translation is a "new" packet because it has changed
(albeit just 2-3 fields of the IP header) from the time it arrived to
the time it was forwarded on.

So the upside to firewalls that do IP reassembly (like iptables, pf,
and most of the commercial "stateful firewall" products) as well as
proxy firewalls is that they serve to normalize traffic to one degree
or another. They reduce the amount of control an external attacker
has over the packets that are passed to your network through the

The downside is that this can break crappy protocols (or even normal
protocols in the case of a misconfigured firewall).

firewall-wizards mailing list