On Fri, 7 May 2004, Darren Reed wrote:
> On Thu, May 06, 2004 at 01:58:54PM -0500, Jacques A. Vidrine wrote:
> > On Thu, May 06, 2004 at 11:46:03AM -0700, Andre Oppermann wrote:
> > > Provide the sysctl net.inet.ip.process_options to control the processing
> > > of IP options.
> > >
> > > net.inet.ip.process_options=0 Ignore IP options and pass packets unmodified.
> > > net.inet.ip.process_options=1 Process all IP options (default).
> > > net.inet.ip.process_options=2 Reject all packets with IP options with ICMP
> > > filter prohibited message.
> > >
> > > This sysctl affects packets destined for the local host as well as those
> > > only transiting through the host (routing).
> > >
> > > IP options do not have any legitimate purpose anymore and are only used
> > > to circumvent firewalls or to exploit certain behaviours or bugs in TCP/IP
> > > stacks.
> > Yay!
> > Shall we have the default be `2 Reject all packets with IP options...' ?
> > I think so.
> It is disturbing to think that with 3 firewall solutions in the kernel,
> basic features they provide, such as this, still get implemented as code.
well, reject, yes,
but a firewall can not force the stack to IGNORE options..