From owner-freebsd-hackers  Mon Aug 19 16:43:53 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA27744
          for hackers-outgoing; Mon, 19 Aug 1996 16:43:53 -0700 (PDT)
Received: from red.jnx.com (ppp-206-170-2-24.sntc01.pacbell.net [206.170.2.24])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA27738
          for <hackers@freebsd.org>; Mon, 19 Aug 1996 16:43:51 -0700 (PDT)
Received: (from pst@localhost) by red.jnx.com (8.7.5/8.7.3) id QAA23405; Mon, 19 Aug 1996 16:42:34 -0700 (PDT)
To: imp@village.org (Warner Losh)
cc: hackers@freebsd.org
Subject: Re: ipfw vs ipfilter
References: imp@village.org (Warner Losh)
	<199608181615.KAA00454@rover.village.org>
From: Paul Traina <pst@jnx.com>
Date: 19 Aug 1996 16:42:33 -0700
In-Reply-To: imp@village.org's message of 18 Aug 96 16:15:05 GMT
Message-ID: <7yu3tz6ivq.fsf@red.jnx.com>
Lines: 14
X-Mailer: Gnus v5.2.25/XEmacs 19.14
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

imp@village.org (Warner Losh) writes:
> One of our paranoid villagers recently did a code review on ipfw.  He
> said it was OK, but found a couple of problems.  Specifically, the
> code lacked comments, there was a bug in the IP header fragment
> discarding code (if the offset was one, it would discard the fragment,
> but not when it was 2, it should properly discard the fragment for all
> offsets > 0 < the size of the headers).

As I wrote in RFC 1858, since filtering decisions are only performed on
information contained within the first 16 octets of the TCP header,
protecting FO>1 is uninteresting and unnecessary and further violates
RFC 791.

Paul