From owner-freebsd-security  Sat Jun 22 10:22:07 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA20228
          for security-outgoing; Sat, 22 Jun 1996 10:22:07 -0700 (PDT)
Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA20217
          for <freebsd-security@freebsd.org>; Sat, 22 Jun 1996 10:22:05 -0700 (PDT)
Message-Id: <199606221722.KAA20217@freefall.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA279424114; Sun, 23 Jun 1996 03:21:54 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: IPFW vs. IP Filter?
To: taob@io.org (Brian Tao)
Date: Sun, 23 Jun 1996 03:21:53 +1000 (EST)
Cc: freebsd-security@freebsd.org
In-Reply-To: <Pine.NEB.3.92.960622123716.9476E-100000@zap.io.org> from "Brian Tao" at Jun 22, 96 12:40:44 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In some mail from Brian Tao, sie said:
> 
>     BTW, this is in the ipfw man page:
> 
> | There is one kind of packet that the firewall will always discard, that
> | is an IP fragment with a fragment offset of one.  This is a valid packet,
> | but it only has one use, to try to circumvent firewalls.
> 
>     I assume ipfilter does this as well?

Not automatically, but you can tell it to do so.

In the author's mind, there might be occasions where you don't want to
discard those packets although you probably want to know they existed.

Darren