I was just reading an article comparing the performance of opensource firewalls (IPtables, IPfilter, and PF). There is some interesting information in it.
http://www.benzedrine.cx/pf-paper.html IPtables was the best performing stateless firewall, but was not tested for stateful packet inspection, because "it does not perform proper state tracking". This was news to me. I was wondering if anyone on the list had some insite on this? I did some reading at http://www.iptables.org/ and found that there is a patch that "allows netfilter do TCP connection tracking according to the article Real Stateful TCP Packet Filtering in IP Filter by Guido van Rooij. It supports window scaling, and can now handle already established connections." Here is a link the paper they refer to: http://www.usenix.org/events/sec01/invitedtalks/rooij.pdf