From owner-freebsd-hackers  Thu Aug 24 22:35:16 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id WAA26059
          for hackers-outgoing; Thu, 24 Aug 1995 22:35:16 -0700
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id WAA26047
          for <freebsd-hackers@freebsd.org>; Thu, 24 Aug 1995 22:35:13 -0700
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <14893(1)>; Thu, 24 Aug 1995 22:34:31 PDT
Received: from localhost by crevenia.parc.xerox.com with SMTP id <177475>; Thu, 24 Aug 1995 22:34:26 -0700
To: Poul-Henning Kamp <phk@freefall.freebsd.org>
cc: freebsd-hackers@freebsd.org
Subject: Re: IPFW and SCREEND 
In-reply-to: Your message of "Wed, 23 Aug 95 00:18:44 PDT."
             <199508230718.AAA16049@freefall.FreeBSD.org> 
Date: Thu, 24 Aug 1995 22:34:19 PDT
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <95Aug24.223426pdt.177475@crevenia.parc.xerox.com>
Sender: hackers-owner@freebsd.org
Precedence: bulk

In message <199508230718.AAA16049@freefall.FreeBSD.org> you write:
>Actually, since all IP-nets SHALL transfer a minimum MTU of 576 (or 
>thereabout), there is no reason to receive a fragment with an offset of less.

Actually, the minimum MTU in IPv6 is 576; the minimum MTU in IPv4 is 68.
68 bytes is enough to get past the transport layer ports, so you should
be able to prevent this kind of attack by dropping fragments with an
offset of less than 68.  This will still allow overwriting TCP options,
but it's not likely that a firewall is going to be filtering on them...

  Bill