From owner-freebsd-hackers  Fri Aug 25 00:02:05 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id AAA03239
          for hackers-outgoing; Fri, 25 Aug 1995 00:02:05 -0700
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with SMTP id AAA03229
          for <freebsd-hackers@freebsd.org>; Fri, 25 Aug 1995 00:02:02 -0700
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <14889(2)>; Fri, 25 Aug 1995 00:01:09 PDT
Received: from localhost by crevenia.parc.xerox.com with SMTP id <177475>; Fri, 25 Aug 1995 00:01:01 -0700
To: guido@gvr.win.tue.nl (Guido van Rooij)
cc: freebsd-hackers@freebsd.org
Subject: Re: IPFW and SCREEND 
In-reply-to: Your message of "Thu, 24 Aug 95 23:22:50 PDT."
             <199508250622.IAA08602@gvr.win.tue.nl> 
Date: Fri, 25 Aug 1995 00:00:54 PDT
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <95Aug25.000101pdt.177475@crevenia.parc.xerox.com>
Sender: hackers-owner@freebsd.org
Precedence: bulk

In message <199508250622.IAA08602@gvr.win.tue.nl> you write:
>you should at least make sure that you can 'look' to the
>ACK it of the TCP header.

Right, I forgot about the stupid SYN hack (I prefer secure firewalls =).
So for TCP, that means that you will potentially drop legal packets (of
course, I pity the fool who uses an MTU of 68, but it's legal...).

Basically, this just means that the minimum acceptable fragment offset
needs to be configurable; perhaps even differently for TCP and UDP (or
TCP and everything-else)...

  Bill