From owner-freebsd-hackers  Mon Aug 28 11:28:38 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id LAA18822
          for hackers-outgoing; Mon, 28 Aug 1995 11:28:38 -0700
Received: from gvr.win.tue.nl (gvr.win.tue.nl [131.155.210.19])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id LAA18805
          for <freebsd-hackers@freebsd.org>; Mon, 28 Aug 1995 11:28:29 -0700
Received: by gvr.win.tue.nl (8.6.10/1.53)
    id UAA21247; Mon, 28 Aug 1995 20:24:49 +0200
From: guido@gvr.win.tue.nl (Guido van Rooij)
Message-Id: <199508281824.UAA21247@gvr.win.tue.nl>
Subject: Re: IPFW and SCREEND
To: phk@critter.tfs.com (Poul-Henning Kamp)
Date: Mon, 28 Aug 1995 20:24:48 +0200 (MET DST)
Cc: fenner@parc.xerox.com, phk@freefall.freebsd.org,
        freebsd-hackers@freebsd.org
In-Reply-To: <679.809343432@critter.tfs.com> from "Poul-Henning Kamp" at Aug 25, 95 02:37:12 am
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Content-Length: 388       
Sender: hackers-owner@freebsd.org
Precedence: bulk

> 
> I'm pretty sure that you wont get bit by denying any fragments starting
> < 256 bytes.
> 

Actually it turns out to be much simpler...Paul Traina forwarded something
about this.
Just filter anything that is TCP and has an ip_off == 1.
The offset is to be shifted 3 bits. So the *only* frag that can
overwrite the TCP_FLAGS (like SYN and ACK) is one with ip_off equal
to one.

-Guido