cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h
Richard Coleman
richardcoleman at mindspring.com
Sat May 8 06:05:59 PDT 2004
Darren Reed wrote:
>>> net.inet.ip.process_options=0 Ignore IP options and pass packets
>>> unmodified. net.inet.ip.process_options=1 Process all IP options
>>> (default). net.inet.ip.process_options=2 Reject all packets with
>>> IP options with ICMP filter prohibited message.
>>>
>>> This sysctl affects packets destined for the local host as well
>>> as those only transiting through the host (routing).
>>>
>>> IP options do not have any legitimate purpose anymore and are
>>> only used to circumvent firewalls or to exploit certain
>>> behaviours or bugs in TCP/IP stacks.
>>
>> Yay! Shall we have the default be `2 Reject all packets with IP
>> options...' ? I think so.
>
> It is disturbing to think that with 3 firewall solutions in the
> kernel, basic features they provide, such as this, still get
> implemented as code.
>
> Darren
I think it depends on what is the default for this sysctl. The problem
is that FreeBSD cannot turn on the standard firewalls by default. But
it is possible that this sysctl could be in the secure position (== 2)
out of the box and not be disruptive to most users.
But, if the decision is to turn this off by default (== 1) then I would
(somewhat) agree with you. I know that someone (maybe phk) had
mentioned that this sysctl short circuits the firewall code and is much
faster. But that probably doesn't mean much since these packets are so
rare.
Richard Coleman
richardcoleman at mindspring.com
More information about the cvs-all
mailing list