From owner-freebsd-hackers  Wed Jun 28 11:04:51 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id LAA16368
          for hackers-outgoing; Wed, 28 Jun 1995 11:04:51 -0700
Received: from cs.weber.edu (cs.weber.edu [137.190.16.16])
          by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id LAA16362
          for <hackers@freebsd.org>; Wed, 28 Jun 1995 11:04:50 -0700
Received: by cs.weber.edu (4.1/SMI-4.1.1)
	id AA16552; Wed, 28 Jun 95 11:57:39 MDT
From: terry@cs.weber.edu (Terry Lambert)
Message-Id: <9506281757.AA16552@cs.weber.edu>
Subject: Re: ipfw code
To: lists@tar.com
Date: Wed, 28 Jun 95 11:57:39 MDT
Cc: guido@gvr.win.tue.nl, hackers@freebsd.org
In-Reply-To: <199506281236.HAA00903@ns.tar.com> from "Richard Seaman, Jr" at Jun 28, 95 07:36:46 am
X-Mailer: ELM [version 2.4dev PL52]
Sender: hackers-owner@freebsd.org
Precedence: bulk

> I'm not sure I follow this. If the goal is to prevent inbound TCP
> connection requests, I would think the filter should block TCP packets
> with the SYN bit set and the ACK bit clear, but allow those in which
> both the SYN bit and ACK bit are both set?
> 
> I would think the goal of blocking on syn is to prevent inbound
> connections but allow outbound connections?

NFS spoofing is still possible if only syn packets are blocked.


					Terry Lambert
					terry@cs.weber.edu
---
Any opinions in this posting are my own and not those of my present
or previous employers.