> BB> DNS clients will eventually timeout and fall back to another > BB> server, so any problems would be transient, but the packets > BB> were legit, right? > > Stateful packet filters are nice. Properly written, they protect > both inbound and outbound traffic and need to track very little > state.
Stateful packet filtering by C sitting between A and B is fallacy since in order for C to make an intelligent decision it may need to know the details of every possible communication protocol used by A and B. Alex
