From owner-freebsd-current@FreeBSD.ORG Thu May 6 12:35:44 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34C2E16A4CE for ; Thu, 6 May 2004 12:35:44 -0700 (PDT) Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch [62.48.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E59F43D2D for ; Thu, 6 May 2004 12:35:43 -0700 (PDT) (envelope-from andre@freebsd.org) Received: (qmail 76739 invoked from network); 6 May 2004 19:35:42 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP for ; 6 May 2004 19:35:42 -0000 Message-ID: <409A938D.AAEF25C@freebsd.org> Date: Thu, 06 May 2004 21:35:41 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: David Wolfskill References: <200405061929.i46JTRgi007101@bunrab.catwhisker.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org Subject: Re: Default behaviour of IP Options processing X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2004 19:35:44 -0000 David Wolfskill wrote: > >However I want to propose to change the default from processing options > >to ignoring options (or even stronger to reject them). > > >.... > > >Opinions? Discussion? Yes/Nay? > > >From "ipfw show" on my home gateway/NAT/packet fileter box: > > ... > 02000 0 0 deny log ip from any to any ipopt rr > 02010 0 0 deny log ip from any to any ipopt ts > 02020 0 0 deny log ip from any to any ipopt ssrr > 02030 0 0 deny log ip from any to any ipopt lsrr > > I implemented those rules back around August, 1999, when I first set the > box up; I don't recall that they have ever been triggered. (Uptime on > the box is nowhere near 4+ years, as it's been tracking -STABLE about > every couple of weeks: I have done the same counters on my ISPs core routers with about 40Mbit/s of junky unfiltered public Internet traffic for many hours now. No hits so far. -- Andre