In a message to bugtraq, Paul Ferguson (paul@hawksbill.sprintmrn.com) wrote: > >The discussion did occur on firewalls. In fact, there was a rather >lengthy discussion on IP fragmentation as an attack method. In a following exchange of email, we've discovered the messages from this "lengthy discussion" are not a part of the firewalls archive. Apparently Brent decided they were off topic and removed them... So, my original question stands: Any information on this? My *guess* is: The filter looks for a TCP packet with a SYN but no ACK. (rejecting incoming connections, but allowing incoming replies to outgoing connections). Fragment an IP packet so the TCP header (especially the flags) are moved to another fragment. The router allows the packet to pass (maybe even the next one containing the flags as well?). Is this right? Or is there more to it than this? Do Ciscos reassemble the packets to match the internal MTU? -Mike mcn@EnGarde.com