In message <Pine.BSI.3.93.960916191246.3265P-100000@sidhe.memra.com>, Michael D illon writes: : :The only thing that comes close to the concept of "filtering" is to build :a SYN proxy that replies with SYN-ACK and hangs onto SYN packets until the :ACK is received from the net before actually letting the packets through :to your server. This may require sequence number munging on every packet :but that's generally the kind of thing proxies do. : :Of course, such a proxy does not yet exist except possibly as somebody's :home-built box based on some stripped down BSD-ish UNIX kernel with :various modifications. But assuming that you can build a box with enough :horsepower to handle 100baseTx/FDDI/whatever in and :100baseTx/FDDI/whatever out, then this is in the realm of possibility. : A beefed up application level firewall would probably work well in this situation. --Chris :Michael Dillon - ISP & Internet Consulting :Memra Software Inc. - Fax: +1-604-546-3049 :http://www.memra.com - E-mail: michael@memra.com ------------------------------------------------------------------- Christopher Blizzard | "The truth knocks on the door and you say blizzard@nysernet.org | 'Go away. I'm looking for the truth,' and NYSERNet, Inc. | so it goes away." --Robert Pirsig -------------------------------------------------------------------