> "Although the TCP sequence numbers may get sent to the log file (if > logging is turned on for a rule), if it not present in the "state table" > (/proc/net/ip_conntrack), then it is not used to maintain state. > However, I cannot verify that Firewall-1 does this as well (although any > good firewall should), and tests conducted on older versions of > Firewall-1 indicate that it did not used to use sequence numbers as part > of state verification (and may still not use them). "
Can you explain how you're expecting sequence numbers to be used in the state table specifically? The Cisco Pix has the ability to "randomize" initial TCP sequence numbers on behalf of clients, but where's the value in that unless you have clients that do a poor job of it already?.
