I was just reading an article comparing the performance of opensource
firewalls (IPtables, IPfilter, and PF).  There is some interesting
information in it.


IPtables was the best performing stateless firewall, but was not tested for
stateful packet inspection, because "it does not perform proper state
tracking".  This was news to me.  I was wondering if anyone on the list had
some insite on this?

I did some reading at http://www.iptables.org/ and found that there is a
patch that "allows netfilter do TCP connection tracking according to the
article Real Stateful TCP Packet Filtering in IP Filter by Guido van Rooij.
It supports window scaling, and can now handle already established

Here is a link the paper they refer to:

Reply via email to