Alan DeKok wrote: > Benjamin Krueger <benjamin@seattlefenix.net> wrote: > > > [snip RFC 1025 (TCP and IP bake-off)] > > > > Identify what the packet should be, and treat it as such? If that is > > the correct way to handle these packets, then these stacks are correct. > > So... what should the packet be? As I said, the spec is ambiguous. > If you don't know what the packet is, you obviously don't know how to > treat it. Think of ECN; should older stacks simply reject a packet with Syn+0x42 because they don't know what 0x42 is? If I've understood correctly, you were suggesting to drop "bad" packets. I agree; only let established traffic through your firewall, and only let packets with Syn or Syn+Ack set and with Fin and Rst unset establish state in the firewall. Ignore the rest of the flags. Of course, if anyone finds this un-interoperable, please chime in!