>Item: Many older systems, and at least one quite recent Ultrix version, >are vulnerable to a denial-of-service attack that is often duplicated >without malicious intent by firewalls: on receiving a single host >unreachable, they summarily shut down all connections to that host; >some may also do this for net unreachables, but I don't know. I believe this was fixed in 4.3 - as when I was trying out tcpwrapper I did whatever test they gave to find out if the bug existed, and it seemed to be fixed. Ok, just read this from Wietse: The bug is that the kernel doesn't pay attention to the port numbers of the ICMP UNREACH and therefore nukes all connections between the hosts. The bug is present in the NET/1 distributions but fixed in NET/2. It is present in Ultrix 4.3 but fixed with CXO-8919. I believe that we were running Ultrix 4.3a, which most likely included the patch.