Date: 19 Aug 1996 16:42:33 -0700 From: Paul Traina <pst@jnx.com> To: imp@village.org (Warner Losh) Cc: hackers@freebsd.org Subject: Re: ipfw vs ipfilter Message-ID: <7yu3tz6ivq.fsf@red.jnx.com> In-Reply-To: imp@village.org's message of 18 Aug 96 16:15:05 GMT References: imp@village.org (Warner Losh) <199608181615.KAA00454@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
imp@village.org (Warner Losh) writes: > One of our paranoid villagers recently did a code review on ipfw. He > said it was OK, but found a couple of problems. Specifically, the > code lacked comments, there was a bug in the IP header fragment > discarding code (if the offset was one, it would discard the fragment, > but not when it was 2, it should properly discard the fragment for all > offsets > 0 < the size of the headers). As I wrote in RFC 1858, since filtering decisions are only performed on information contained within the first 16 octets of the TCP header, protecting FO>1 is uninteresting and unnecessary and further violates RFC 791. Paul
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7yu3tz6ivq.fsf>