I'm curious if anyone can provide some experience on something I have observed...
We have a OpenBSD 3.1 firewall protecting a public web site. We are using good hardware (Intel ISP1100 1u server / Intel Pro Ethernet adapters) by all accounts, etc. At times, the only way we have been able to get a particular user in is to make a special "pass all on port 80" rule for their IP. My question: How well does stateful inspection work with crappy clients? Windows 95 users? Windows for Workgroups 3.11 TCP/IP stack? Macintosh 8.x tcp/ip stacks, etc? Are there cases where using stateful inspection, and not using "allow all port 80" is preventing _users on "broken old systems"_ from accessing a public site? On one had, you want your users to reach your site - but you also want to be secure (prevent spoofing, etc). I wondered if people knew examples of some broken client configurations that are known to cause problems. Thank you. Stephen Gutknecht
