From owner-cvs-all@FreeBSD.ORG Sat May 8 06:05:59 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2370716A4CE; Sat, 8 May 2004 06:05:59 -0700 (PDT) Received: from audiogram.mail.pas.earthlink.net (audiogram.mail.pas.earthlink.net [207.217.120.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id C422D43D39; Sat, 8 May 2004 06:05:58 -0700 (PDT) (envelope-from richardcoleman@mindspring.com) Received: from c-24-99-11-212.atl.client2.attbi.com ([24.99.11.212] helo=mindspring.com) by audiogram.mail.pas.earthlink.net with asmtp (Exim 3.36 #4) id 1BMRWg-0007D0-00; Sat, 08 May 2004 06:05:58 -0700 Message-ID: <409CDB42.3080300@mindspring.com> Date: Sat, 08 May 2004 09:06:10 -0400 From: Richard Coleman Organization: Critical Magic, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Darren Reed References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <20040506185854.GB1777@madman.celabo.org> <20040507072031.GA48708@hub.freebsd.org> In-Reply-To: <20040507072031.GA48708@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-ELNK-Trace: 1ee258965991efcb0865379cdb43356e5e89bb4777695beb702e37df12b9c9efcd5cec8614d2f4168fcce125ca1cc0da350badd9bab72f9c350badd9bab72f9c cc: "Jacques A. Vidrine" cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: Andre Oppermann cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: richardcoleman@mindspring.com List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 May 2004 13:05:59 -0000 Darren Reed wrote: >>> net.inet.ip.process_options=0 Ignore IP options and pass packets >>> unmodified. net.inet.ip.process_options=1 Process all IP options >>> (default). net.inet.ip.process_options=2 Reject all packets with >>> IP options with ICMP filter prohibited message. >>> >>> This sysctl affects packets destined for the local host as well >>> as those only transiting through the host (routing). >>> >>> IP options do not have any legitimate purpose anymore and are >>> only used to circumvent firewalls or to exploit certain >>> behaviours or bugs in TCP/IP stacks. >> >> Yay! Shall we have the default be `2 Reject all packets with IP >> options...' ? I think so. > > It is disturbing to think that with 3 firewall solutions in the > kernel, basic features they provide, such as this, still get > implemented as code. > > Darren I think it depends on what is the default for this sysctl. The problem is that FreeBSD cannot turn on the standard firewalls by default. But it is possible that this sysctl could be in the secure position (== 2) out of the box and not be disruptive to most users. But, if the decision is to turn this off by default (== 1) then I would (somewhat) agree with you. I know that someone (maybe phk) had mentioned that this sysctl short circuits the firewall code and is much faster. But that probably doesn't mean much since these packets are so rare. Richard Coleman richardcoleman@mindspring.com