In some mail from Peter Ford, sie said:
> How many firewalls out there are looking at TCP traffic and
> dropping/blocking packets with TCP options set?
So far, there aren't any TCP header options which pose a threat to
security, so one might argue there is no reason to check them for
flagging a packet to drop. But I wouldn't put it past a firewall to
check that the TCP options present are recognised - an interesting
place to put a covert channel :) However, all proxy firewalls will
interpret TCP header options locally and the other connection made
by the proxy is not likely to reflect the originator (so far as TCP
options go) and this is quite valid. You may get lucky with the
window size but that is constrained by the host's operating system.
But I wouldn't go adding new, undocumented TCP header options just
because you can (and get away with it), expecting them to work.