Don Cohen wrote: > There are some tcp options that have to be sent in the syn packet, > e.g., window scale. These become unusable if this packet is supplied > by the firewall, unless the firewall somehow knows how the original > destination host "would have" answered. This seems unfortunate, and > I don't see a good solution.
Not to mention that there is TCP options a firewall cannot know, such as the timestamp option. In my opinion, If you do "syncookie" in a firewall then the TCP should be terminated there, with another TCP in to the real server. I.e. a proxy solution. Regards Henrik Nordström
