Default behaviour of IP Options processing
Andre Oppermann
andre at freebsd.org
Thu May 6 12:35:44 PDT 2004
David Wolfskill wrote:
> >However I want to propose to change the default from processing options
> >to ignoring options (or even stronger to reject them).
>
> >....
>
> >Opinions? Discussion? Yes/Nay?
>
> >From "ipfw show" on my home gateway/NAT/packet fileter box:
>
> ...
> 02000 0 0 deny log ip from any to any ipopt rr
> 02010 0 0 deny log ip from any to any ipopt ts
> 02020 0 0 deny log ip from any to any ipopt ssrr
> 02030 0 0 deny log ip from any to any ipopt lsrr
>
> I implemented those rules back around August, 1999, when I first set the
> box up; I don't recall that they have ever been triggered. (Uptime on
> the box is nowhere near 4+ years, as it's been tracking -STABLE about
> every couple of weeks:
I have done the same counters on my ISPs core routers with about 40Mbit/s
of junky unfiltered public Internet traffic for many hours now. No hits
so far.
--
Andre
More information about the freebsd-net
mailing list