Hello, Jason

I don't know why NetBSD wouldn't adopt the SYN cookie to resist=
 SYN flood as firewall ?
Is it very difficult ?
I have thought the biggest problem may be the NAT with SYN=
 cookie.
Do you think so ?

On 2001-4-14 8:01:00 you wrote=A3=BA
>On Sat, Apr 14, 2001 at 03:37:08PM +0800, suxm wrote:
>The NetBSD SYN cache only works as a way to protect NetBSD as=
 an
>endpoint of communication.  Basically, what it does it use a=
 data
>structure/code path that is ligher-weight than the traditional
>TCP connection setup path.
>
>The entire thing can be found in sys/netinet/tcp_input.c.  Look=
 for
>functions starting with "syn_cache".
>
>        -- Jason R. Thorpe <thorpej@zembu.com>

sincerely yours
suxm

            suxm@gnuchina.org