> Timothy Shea wrote:
> What I believe you are referring too when you talk about
> "generate a new packet ... " is a proxy firewall. This is a
> piece of code that will take the original packet, suck out
> the contents, (the content may be inspected at this point but
> rarely happens), build a new packet, blow the content back
> into the new packet, and send it along its way

Sorry Timothy, but if you refer to proxies firewall, the content *have to* be
inspected because proxy are at the application level...

The received packet goes up all the stack from IP to application level (HTTP,
SMTP, FTP, whatever...), then in an application gateway (it's just a new word
for a proxy, and it's the part which analyze, or inspect, the packet's content
compliance with the protocol definition and the security rules to enforce) then
a new protocol data unit goes out the application gateway and sends down the
stack to the IP level.
So, it's a full new packet going out of the proxy firewall.

Usually, deep packet inspection firewalls (a flavor of packet filters) do what
you describe.

firewall-wizards mailing list