Thanks for the RFC quote..... I've been hacking code for hours and just the qoute is a big help. BTW: On the SYNDefender firewall..... if we are interested in firewalls, then the 'elegant firewall solution' is, IMO, to insure that our gateways send ICMP UNREACHABLE messages back to the host. Then it is somewhat easy to do the kernel checks to free SYN_REVC 'zombies' For example it is two hops from here to the provider host that blackholes the SYN/ACK second part of the handshake. If that gateway would send me an UNREACHABLE message, it would be easy to just end RST as in the no-problem reachable state. And, TCP remains an end-to-end protocol, which, I think, we all would think would be 'elegant'..... I feel like a cheerleader 'Give me an U N R E A C H A B L E' wha-at-ya-got ......... Best Regards, Tim