Date: Mon, 28 Aug 1995 20:24:48 +0200 (MET DST) From: guido@gvr.win.tue.nl (Guido van Rooij) To: phk@critter.tfs.com (Poul-Henning Kamp) Cc: fenner@parc.xerox.com, phk@freefall.freebsd.org, freebsd-hackers@freebsd.org Subject: Re: IPFW and SCREEND Message-ID: <199508281824.UAA21247@gvr.win.tue.nl> In-Reply-To: <679.809343432@critter.tfs.com> from "Poul-Henning Kamp" at Aug 25, 95 02:37:12 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > I'm pretty sure that you wont get bit by denying any fragments starting > < 256 bytes. > Actually it turns out to be much simpler...Paul Traina forwarded something about this. Just filter anything that is TCP and has an ip_off == 1. The offset is to be shifted 3 bits. So the *only* frag that can overwrite the TCP_FLAGS (like SYN and ACK) is one with ip_off equal to one. -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508281824.UAA21247>