Date: Thu, 06 May 2004 21:35:41 +0200 From: Andre Oppermann <andre@freebsd.org> To: David Wolfskill <david@catwhisker.org> Cc: freebsd-current@freebsd.org Subject: Re: Default behaviour of IP Options processing Message-ID: <409A938D.AAEF25C@freebsd.org> References: <200405061929.i46JTRgi007101@bunrab.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
David Wolfskill wrote: > >However I want to propose to change the default from processing options > >to ignoring options (or even stronger to reject them). > > >.... > > >Opinions? Discussion? Yes/Nay? > > >From "ipfw show" on my home gateway/NAT/packet fileter box: > > ... > 02000 0 0 deny log ip from any to any ipopt rr > 02010 0 0 deny log ip from any to any ipopt ts > 02020 0 0 deny log ip from any to any ipopt ssrr > 02030 0 0 deny log ip from any to any ipopt lsrr > > I implemented those rules back around August, 1999, when I first set the > box up; I don't recall that they have ever been triggered. (Uptime on > the box is nowhere near 4+ years, as it's been tracking -STABLE about > every couple of weeks: I have done the same counters on my ISPs core routers with about 40Mbit/s of junky unfiltered public Internet traffic for many hours now. No hits so far. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?409A938D.AAEF25C>