Date: Fri, 7 May 2004 00:56:01 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: Darren Reed <darrenr@hub.freebsd.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h Message-ID: <Pine.BSF.4.21.0405070055190.33364-100000@InterJet.elischer.org> In-Reply-To: <20040507072031.GA48708@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 7 May 2004, Darren Reed wrote: > On Thu, May 06, 2004 at 01:58:54PM -0500, Jacques A. Vidrine wrote: > > On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote: > > > Provide the sysctl net.inet.ip.process_options to control the processing > > > of IP options. > > > > > > net.inet.ip.process_options=0 Ignore IP options and pass packets unmodified. > > > net.inet.ip.process_options=1 Process all IP options (default). > > > net.inet.ip.process_options=2 Reject all packets with IP options with ICMP > > > filter prohibited message. > > > > > > This sysctl affects packets destined for the local host as well as those > > > only transiting through the host (routing). > > > > > > IP options do not have any legitimate purpose anymore and are only used > > > to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP > > > stacks. > > > > Yay! > > Shall we have the default be `2 Reject all packets with IP options...' ? > > I think so. > > It is disturbing to think that with 3 firewall solutions in the kernel, > basic features they provide, such as this, still get implemented as code. > well, reject, yes, but a firewall can not force the stack to IGNORE options.. > Darren >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0405070055190.33364-100000>