I agree.
It seems to me that placing this processing in the firewall is *potentially* dangerous, as now a SYN-flooding attack (*IF* *successful*) will deny service to everything behind the firewall, instead of just the targeted host.
If I know I can fire-hose your firewall, and take your *site* off the net, then it might become more attractive to me to "find" sufficient CPU and bandwidth resources to generate enough packets to take you out. This could "raise the stakes" enough to make it worth it to an attacker.
If someone can hose a firewall with an adaptive SYN timeout and a 100,000 or more-entry state storage structure for pending SYNs (not that any particular implementation does this that I know of or don't know of) then I *WANT* them to attack me. Something that un-subtle should be eeasy to track back to the source.
Tom E. Perrine (tep@SDSC.EDU) | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ | Voice: +1.619.534.5000 "Ille Albus Canne Vinco Homines" - You Know Who
Avi