:
:The only thing that comes close to the concept of "filtering" is to build
:a SYN proxy that replies with SYN-ACK and hangs onto SYN packets until the
:ACK is received from the net before actually letting the packets through
:to your server. This may require sequence number munging on every packet
:but that's generally the kind of thing proxies do.
:
:Of course, such a proxy does not yet exist except possibly as somebody's
:home-built box based on some stripped down BSD-ish UNIX kernel with
:various modifications. But assuming that you can build a box with enough
:horsepower to handle 100baseTx/FDDI/whatever in and
:100baseTx/FDDI/whatever out, then this is in the realm of possibility.
:
A beefed up application level firewall would probably work well in this
situation.
--Chris
:Michael Dillon - ISP & Internet Consulting
:Memra Software Inc. - Fax: +1-604-546-3049
:http://www.memra.com - E-mail: michael@memra.com