>> Send an IP fragment 0 acceptable to the firewall >> Send an IP fragment at offset 8 to rewrite most of the header >> and all the data > that isn't the main bug. sigh Seems to me that there's no reason to use the "new" data rather than the "old" data when a new fragment arrives that overlaps already-collected data. They're supposed to be the same; any difference indicates that at least one of them is definitely corrupted in a way that beat the checksum, or else you're under attack. In either case, dropping both the incoming packet and the collected fragments is probably the best response, seems to me. If you don't want to compare the bytes, then just make sure old data takes precedence over new. (But comparing the bytes when there's overlap is probably cheap enough to do; the only way it will happen in normal use is when a fragmented datagram is retransmitted.) der Mouse mouse@collatz.mcrcim.mcgill.edu