Date: Tue, 28 Jan 2003 14:46:16 -0500 From: Steve Shorter <steve@nomad.lets.net> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward....... Message-ID: <20030128144615.A79222@nomad.lets.net> In-Reply-To: <200301281552.CAA18768@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Wed, Jan 29, 2003 at 02:52:53AM %2B1100 References: <20030127073039.U1537@woody.ops.uunet.co.za> <200301281552.CAA18768@caligula.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 29, 2003 at 02:52:53AM +1100, Darren Reed wrote: > > Well let me offer my completely biased opinion and say that unless you > want/need to use dummynet, there's no reason to ever use ipfw :-) > Hmm ... what if I want to filter on tcpoptions. ipf supports ipopts but I couldn't see anything about tcpoptions. Reason .... Many SYN flood programs create packets with missing MSS. So it is possible to filter these with the ipfw rule add 100 deny tcp from someplace to someother tcpoptions !mss setup Or if I can do this with IPFilter how do I do it. Sorry if I'm missing something. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030128144615.A79222>