This is an ugly, not well tested, for-fun-only, demonstration patch for an article for the French Linux Magazine HS14.
This patch will add the /proc/sys/net/ipv4/tcp_sfswap_peer to your kernel.
Each time a TCP packet will be received from/sent to the IP written in this sysctl, the SYN and FIN flags will be swapped.
If you have two hosts, 192.168.11.128 and 192.168.11.129 that run with this modified kernel, you can do
host128# echo $((0x810ba8c0)) > /proc/sys/net/ipv4/tcp_sfswap_peerand
host129# echo $((0x800ba8c0)) > /proc/sys/net/ipv4/tcp_sfswap_peerAnd you'll observe this kind of TCP traffic between these two hosts :
22:37:14.012877 192.168.11.129.973 > 192.168.11.128.22: F 3582461435:3582461435(0) win 5840 <mss 1460,sackOK,timestamp 63113 0,nop,wscale 0> (DF) 22:37:14.013822 192.168.11.128.22 > 192.168.11.129.973: F 3574000041:3574000041(0) ack 3582461436 win 5792 <mss 1460,sackOK,timestamp 62280 63113,nop,wscale 0> (DF) 22:37:14.014456 192.168.11.129.973 > 192.168.11.128.22: . ack 1 win 5840 <nop,nop,timestamp 63114 62280> (DF) 22:37:14.025307 192.168.11.128.22 > 192.168.11.129.973: P 1:23(22) ack 1 win 5792 <nop,nop,timestamp 62282 63114> (DF) 22:37:14.025975 192.168.11.129.973 > 192.168.11.128.22: . ack 23 win 5840 <nop,nop,timestamp 63115 62282> (DF) 22:37:14.027644 192.168.11.129.973 > 192.168.11.128.22: P 1:23(22) ack 23 win 5840 <nop,nop,timestamp 63116 62282> (DF) [...] 22:37:27.373903 192.168.11.129.973 > 192.168.11.128.22: . ack 1939 win 7504 <nop,nop,timestamp 63848 63013> (DF) [tos 0x10] 22:37:27.376054 192.168.11.129.973 > 192.168.11.128.22: P 659:671(12) ack 1939 win 7504 <nop,nop,timestamp 63848 63013> (DF) [tos 0x10] 22:37:27.377216 192.168.11.129.973 > 192.168.11.128.22: S 3582462106:3582462106(0) ack 3574001980 win 7504 <nop,nop,timestamp 63848 63013> (DF) [tos 0x10] 22:37:27.380129 192.168.11.128.22 > 192.168.11.129.973: S 3574001980:3574001980(0) ack 3582462107 win 5792 <nop,nop,timestamp 63014 63848> (DF) [tos 0x10] 22:37:27.380587 192.168.11.129.973 > 192.168.11.128.22: . ack 1 win 7504 <nop,nop,timestamp 63848 63014> (DF) [tos 0x10]
Thus, with this patch, most stateless firewalls will be transparents for thoses hosts.