Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 08 May 2004 09:06:10 -0400
From:      Richard Coleman <richardcoleman@mindspring.com>
To:        Darren Reed <darrenr@hub.freebsd.org>
Cc:        cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h
Message-ID:  <409CDB42.3080300@mindspring.com>
In-Reply-To: <20040507072031.GA48708@hub.freebsd.org>
References:  <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <20040506185854.GB1777@madman.celabo.org> <20040507072031.GA48708@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Darren Reed wrote:
>>> net.inet.ip.process_options=0  Ignore IP options and pass packets
>>> unmodified. net.inet.ip.process_options=1  Process all IP options
>>> (default). net.inet.ip.process_options=2  Reject all packets with
>>> IP options with ICMP filter prohibited message.
>>> 
>>> This sysctl affects packets destined for the local host as well
>>> as those only transiting through the host (routing).
>>> 
>>> IP options do not have any legitimate purpose anymore and are
>>> only used to circumvent firewalls or to exploit certain
>>> behaviours or bugs in TCP/IP stacks.
>> 
>> Yay! Shall we have the default be `2 Reject all packets with IP
>> options...' ? I think so.
> 
> It is disturbing to think that with 3 firewall solutions in the
> kernel, basic features they provide, such as this, still get
> implemented as code.
> 
> Darren

I think it depends on what is the default for this sysctl.  The problem
is that FreeBSD cannot turn on the standard firewalls by default.  But
it is possible that this sysctl could be in the secure position (== 2)
out of the box and not be disruptive to most users.

But, if the decision is to turn this off by default (== 1) then I would
(somewhat) agree with you.  I know that someone (maybe phk) had
mentioned that this sysctl short circuits the firewall code and is much
faster.  But that probably doesn't mean much since these packets are so
rare.

Richard Coleman
richardcoleman@mindspring.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?409CDB42.3080300>