"stateful tracking" and "connection tracking"

Hi community,
It's not clear to me the difference between "stateful tracking" and
"connection tracking", the first one is said to be proper of OpenBSD
PF/IPF, the second one of Gnu/Linux IPTables. Many people say IPTables
offers better performance and PF/IPF offers an easier syntax, but what
about proper "stateful inspection"? I do know that a personal
experience is the best answer, but I'd like to know yours.

Thanks a lot in advance

Dario wrote:

> Hi community,
> It's not clear to me the difference between "stateful tracking" and
> "connection tracking", the first one is said to be proper of OpenBSD
> PF/IPF, the second one of Gnu/Linux IPTables. Many people say IPTables
> offers better performance and PF/IPF offers an easier syntax, but what
> about proper "stateful inspection"? I do know that a personal
> experience is the best answer, but I'd like to know yours.
>
> Thanks a lot in advance

You are talking about two different properties.

Stateful packet filtering as used by pf and ipf is watching for all
properties during a session. tcp sequence number as well as ip
addresses must match those in the list before a packet is allowed in
(as a reply). iptables 'only' checks the ip addresses and is therefore
a little bit less strict.

Connection tracking takes care of handling complex sessions that require
more than one stream, such as ftp. With connection tracking the packet
filter knows that a reply will consist of multiple connections.

HTH,

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.