On Thu, Apr 19, 2001 at 10:00:50AM +0800, suxm wrote:

 > If SYN cookie is implemented in NetBSD, it can be used to protect server in the LAN.

What would be the point of using SYN cookies here, again?  As Bill
Sommerfeld has pointed out *several* times, the server (in your
diagram, the NetBSD-Firewall) is required to retransmit the SYN-ACK
if the ACK never arrives.

Therefore, what you would want in this case would be some TCP connection
setup proxy, which would use a mechanism similar to the NetBSD-host-role
"SYN cache", since the SYN-cookie method has no mechanism to perform
SYN-ACK retransmission (by its very nature).

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>