>>             client           NetBSD Firewall           server
>>             ------          ----------          ------
>>    1.        SYN----------- - - - - - - - - - ->
>>    2.           <------------SYN-ACK(cookie)
>>    3.        ACK----------- - - - - - - - - - ->
>
>Now, assume that the #3 packet is dropped.
>
>At this point, the firewall using cookies has no connection state.
>
>client is waiting for the server to send something.
>
>The client now hangs forever waiting for a packet which will never
>arrive.

problem number 2: if the ack is not dropped, then this happens.

>   4.           - - - - - - -SYN--------------->
>   5.           <- - - - - - - - - ------------SYN-ACK
>   6.           - - - - - - -ACK---------------> 

which is where the actual server machine gets to respond and set up
it's own connection end point.  the firewall machine will now have to
do some form of connection laundering because odds are very much
against the server responding to the client with the same isn that
the firewall did.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."