On Mon, Apr 16, 2001 at 10:27:33AM +0800, suxm wrote:

 > >	Don't SYN cookies make it impossible to tell if the initial
 > >	connection setup packet has been received?
 > 
 > No, I don't think so.
 > SYN cookie is implemented in LINUX perfectly.
 > I think NetBSD should have such function to resist SYN flood.

If it's implemented, it should be implemented in e.g. IP Filter, *not*
in the mainline IP forwarding path.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>