the flood defender feature protects inside systems from a denial of service attack perpetrated by flooding an interface with tcp syn packets. enable this feature by setting the maximum embryonic connections option to the nat and static commands.

    the tcp intercept feature protects systems reachable via a static and tcp conduit. this feature ensures that once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every syn bound for the affected server is intercepted. for each syn,pix firewall responds on behalf of the server with an empty syn/ack segment. pix firewall retains pertinent state information, drops the packet, and waits for the client's acknowledgment.