From owner-freebsd-security  Tue Jan 28 11:51:59 2003
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1859037B401
	for <freebsd-security@FreeBSD.ORG>; Tue, 28 Jan 2003 11:51:58 -0800 (PST)
Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 76AB743F85
	for <freebsd-security@FreeBSD.ORG>; Tue, 28 Jan 2003 11:51:57 -0800 (PST)
	(envelope-from steve@nomad.tor.lets.net)
Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74])
	by spitfire.velocet.net (Postfix) with SMTP id 29F924B7CE6
	for <freebsd-security@FreeBSD.ORG>; Tue, 28 Jan 2003 14:51:55 -0500 (EST)
Received: (qmail 79237 invoked by uid 1001); 28 Jan 2003 19:46:16 -0000
Date: Tue, 28 Jan 2003 14:46:16 -0500
From: Steve Shorter <steve@nomad.lets.net>
To: Darren Reed <avalon@coombs.anu.edu.au>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: The way forward.......
Message-ID: <20030128144615.A79222@nomad.lets.net>
References: <20030127073039.U1537@woody.ops.uunet.co.za> <200301281552.CAA18768@caligula.anu.edu.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200301281552.CAA18768@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Wed, Jan 29, 2003 at 02:52:53AM +1100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Jan 29, 2003 at 02:52:53AM +1100, Darren Reed wrote:
> 
> Well let me offer my completely biased opinion and say that unless you
> want/need to use dummynet, there's no reason to ever use ipfw :-)
> 

	Hmm ... what if I want to filter on tcpoptions. ipf
supports ipopts but I couldn't see anything about tcpoptions.

	Reason .... Many SYN flood programs create packets
with missing MSS. So it is possible to filter these with the ipfw
rule

add 100 deny tcp from someplace to someother tcpoptions !mss setup

	Or if I can do this with IPFilter how do I do it.

	Sorry if I'm missing something.

	-steve

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message