From owner-freebsd-security  Wed Sep 23 03:38:41 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA27545
          for freebsd-security-outgoing; Wed, 23 Sep 1998 03:38:41 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA27526
          for <freebsd-security@FreeBSD.ORG>; Wed, 23 Sep 1998 03:38:31 -0700 (PDT)
          (envelope-from avalon@coombs.anu.edu.au)
Message-Id: <199809231038.DAA27526@hub.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA174187093; Wed, 23 Sep 1998 20:38:13 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: performance comparision of ipfilter and ipfw
To: spork@super-g.com (spork)
Date: Wed, 23 Sep 1998 20:38:13 +1000 (EST)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.00.9809221623200.17145-100000@super-g.inch.com> from "spork" at Sep 22, 98 04:27:07 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from spork, sie said:
> 
> Darren,
> 
> I must admit I've been brainwashed by Checkpoint and their "stateful
> inspection" rhetoric.
> 
> Could you briefly explain some of the differences between ipfilter's state
> mechanism and the checkpoint version?  Am I correct in assuming that they
> are basically the same at many levels?

Similar in idea (at the TCP level) but that's about it.  Checkpoint's SPF
(they claim) operates at ISO layers 3-7, which I find somewhat bogus
whereas IP Filter only works at 3 & 4.

The "best" difference I know of is that Checkpoint has a "quick" expirey
for connections (they may not follow the TCP FSM at all :/) and as a result,
in order to "pickup" connections that have "idled out", let dataless through
the firewall (I'm not sure if you can turn off this behaviour) ACK packets
and recreate the session if an ACK is returned.  IP FIlter, on the other
hand, has a large expirey for "established" connections (5 days) and follows
the TCP FSM and won't let through ACK's just because they're a stray ACK and
might be part of a connection it doesn't know about (of course this can be
countered but I'm assuming a "sane" config).

An interesting outcome of this is that FW-1 doesn't necessarily know all
the "active" connections through it at any given moment.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message