Actually, this discussion start to make aware of the difference
between "connection tracking" and "stateful inspection". :-)
> Of course, you can still use SYNs to scan the network, so they
> haven't actually won anything here, except that if their firewall
> reboots, established connections will die.
Well, if you consider a full implementation of a stateful inspection
firewall, you should be able to "hide" a network from outside without
For example, you can make up the following ruleset:
o DENY SYN from outside -> inside
o Allow NEW, ESTABLISHED, RELATED
|Internet|----|FW|----|Hidden Net w/o NAT |
On this configuration, you allow all the computers of your hidden net
to have their own IP address and you disallow any sort of scan from
outside. You can even imagine to have a web server somewhere in your
hidden network (you just have to add as first rule that you allow
all the traffic on the port 80 to this precise IP address).
This configuration can't be done with Netfilter because you are doing
what we could call "connection tracking" and not "stateful inspection".
> The confusion here comes from the "TCP connection" vs
> "connection tracking connection" distinction, which is subtle and
> usually harmless.
Harmless if you are running NAT. But, if you are trying to use Netfilter
as a complete stateful inspection firewall, then you are in trouble