In article <9502281621 .
Michel Lavondes <lavondes @
>If you have a filtering router as (part of) your firewall, you're limited
Actually, anyone that does extensive kernel modifications or
implements some policy in the kernel might be able examine a possible
socket *before* replying to the TCP SYN packet. I've been thinking
about this kind of thing a bit.
>A related question is, should your firewall send back anything at all or
>should you leave the sender wondering what happened to his nastygrams ?
Consider the case where the IP source address is faked, and the
address being faked is behind a 14.4k link. They aren't attacking
*you* they are attacking the guy behind the 14.4k by having *you*
tie up all their bandwidth.
:!mcr!: | <A HREF="http://www.milkyway.com/">Milkyway Networks Corporation</A>
Michael Richardson | Makers of the Black Hole firewall
NCF: aa714 || xx714 | +1 613 566-4574 ... mcr @
Home: <A HREF="http://www.sandelman.ocunix.on.ca/People/Michael_Richardson/Bio.html">mcr @
ca</A>. PGP key available.