Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 6 May 2004 12:29:27 -0700 (PDT)
From:      David Wolfskill <david@catwhisker.org>
To:        freebsd-current@freebsd.org, freebsd-net@freebsd.org
Subject:   Re: Default behaviour of IP Options processing
Message-ID:  <200405061929.i46JTRgi007101@bunrab.catwhisker.org>
In-Reply-To: <409A8EF3.5825EF0C@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
>Date: Thu, 06 May 2004 21:16:03 +0200
>From: Andre Oppermann <andre@freebsd.org>
>To: freebsd-current@freebsd.org, freebsd-net@freebsd.org
>Subject: Default behaviour of IP Options processing
>Sender: owner-freebsd-current@freebsd.org

>However I want to propose to change the default from processing options
>to ignoring options (or even stronger to reject them).

>....

>Opinions?  Discussion?  Yes/Nay?

>From "ipfw show" on my home gateway/NAT/packet fileter box:

...
02000      0         0 deny log ip from any to any ipopt rr
02010      0         0 deny log ip from any to any ipopt ts
02020      0         0 deny log ip from any to any ipopt ssrr
02030      0         0 deny log ip from any to any ipopt lsrr


I implemented those rules back around August, 1999, when I first set the
box up; I don't recall that they have ever been triggered.  (Uptime on
the box is nowhere near 4+ years, as it's been tracking -STABLE about
every couple of weeks:

janus# uname -a
FreeBSD janus.catwhisker.org 4.10-PRERELEASE FreeBSD 4.10-PRERELEASE #66: Sun May  2 06:05:10 PDT 2004     root@freebeast.catwhisker.org:/common/S1/obj/usr/src/sys/JANUS  i386
janus# 

So the counters from "show ipfw" only show traffic since

janus# uptime
12:27PM  up 4 days,  5:53, 1 user, load averages: 0.04, 0.03, 0.06
janus# 

-- not really enough to be significant.)

My point was that there are some of us who, quite deliberately,
decline to accept options-laden traffic anyhow.  So I have no known
reason to object to the proposal.

Peace,
david
-- 
David H. Wolfskill				david@catwhisker.org
I do not "unsubscribe" from email "services" to which I have not explicitly
subscribed.  Rather, I block spammers' access to SMTP servers I control,
and encourage others who are in a position to do so to do likewise.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405061929.i46JTRgi007101>