HardenedBSD/sbin/ipfw
Alexander Langer ce78a1f6dd Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

  - Do not match fragmented packets if the rule specifies a port or
    TCP flags
  - Match fragmented packets if the rule does not specify a port and
    TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags.  Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-02-12 00:57:06 +00:00
..
ipfw.8 Alter ipfw's behavior with respect to fragmented packets when the packet 1998-02-12 00:57:06 +00:00
ipfw.c Alter ipfw's behavior with respect to fragmented packets when the packet 1998-02-12 00:57:06 +00:00
Makefile Submitted by: Whistle Communications (archie Cobbs) 1997-06-02 05:02:37 +00:00