7.2. Weaknesses of Packet Filtering

Stateless packet filters. (cf. iptables connection tracking), cf. state vs. stateless discussion.

Use of ICMP, when to block ICMP; tunneling through lax packet filters with ICMP (trinoo, ICMPchat).

spoofed source addresses, xref binding non-local addresses

confounded application layer protocols like FTP, H323

DoS on connection tracking packet filters

DoS on rate limiters ?

7.2.1. Complex Network Layer Stateless Packet Filters