From owner-freebsd-hackers  Mon Aug 21 20:30:05 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.FreeBSD.org (8.6.11/8.6.6) id UAA28765
          for hackers-outgoing; Mon, 21 Aug 1995 20:30:05 -0700
Received: from rover.village.org (rover.village.org [198.137.146.49])
          by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id UAA28751
          for <freebsd-hackers@FreeBSD.ORG>; Mon, 21 Aug 1995 20:30:00 -0700
Received: from localhost (localhost [127.0.0.1]) by rover.village.org (8.6.11/8.6.6) with SMTP id VAA08415; Mon, 21 Aug 1995 21:28:10 -0600
Message-Id: <199508220328.VAA08415@rover.village.org>
To: peter@haywire.dialix.com (Peter Wemm)
Subject: Re: IPFW and SCREEND 
Cc: freebsd-hackers@FreeBSD.ORG
In-reply-to: Your message of 21 Aug 1995 22:58:29 +0800
Date: Mon, 21 Aug 1995 21:28:10 -0600
From: Warner Losh <imp@village.org>
Sender: hackers-owner@FreeBSD.ORG
Precedence: bulk

: It has IP and port filtering.. Since it's on a per-interface level, it
: could be programmed to drop packets coming in that have your source
: address, in an attempt to get around your security (recent CERT advisory).

But does it have the ability to drop IP framgent that would overwrite
the IP and TCP headers and thus allow traffic through that would
otherwise be denied?  A popluar recent attack is to have an acceptible
IP packet fragment go through the firewall, then to send an IP
fragment that had an offset of 1 or 4 and overwrite the "OK" header
with "Evil" headers that would otherwise be blocked.  ip_fil does do
that, and as far as the author and our local security expert know, is
the only one to do so other than recent Cisco releases.

Not to say that screend is bad, or anything like that.  Just curious
as to what is the state of the art.

Warner