Please think over the following figure.

            client           NetBSD Firewall           server
            ------          ----------          ------
   1.        SYN----------- - - - - - - - - - ->
   2.           <------------SYN-ACK(cookie)
   3.        ACK----------- - - - - - - - - - ->
   4.           - - - - - - -SYN--------------->
   5.           <- - - - - - - - - ------------SYN-ACK
   6.           - - - - - - -ACK--------------->

   7.           -----------> relay the  ------->
                <----------- connection <-------

   1. A SYN is sent from C(client) to S(server)
   2. The firewall acts as S to respond a SYN-ACK with SYN=
 cookie.
   3. C send the ACK. Then the connection should be established.
   4. The firewall acts as C to send a SYN to S.
   5. S repond the SYN to C.
   6. The firewall acts as C to send the ACK. Then the=
 connection
      is established.
   7. The firewall relays data between C and S.


If SYN cookie is implemented in NetBSD, it can be used to protect=
 server in the LAN.

On 2001-4-18 9:28:00 you wrote=A3=BA
>Is it realistically feasible?  Not meaning "can it be done" but=
 "can it be
>done right"?

sincerely yours
suxm
            suxm@gnuchina.org



        =A1=EE _______   =A1=A4     =A1=EE     
     =C9=A1   =A5=CE____=A5=CE=A1=F5     =A1=F1    =C9=A1  
    =C9=A1=C9=A1  =A3=FC    =A3=FC=A3=FC          =C9=A1=C9=A1 
   =C9=A1=C9=A1=C9=A1 =A1=A5=A1=A5=A1=A5=A1=A5=A1=A5-_   =A1=E2  =C9=A1=C9=A1=C9=A1
     =A1=AC               =A1=A5-=A4=D8    =A1=AC