Firewalls: Re: TCP options and firewalls1

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: TCP options and firewalls1
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Wed, 15 Oct 1997 23:57:44 +1000 (EST)
To:	peterf @ microsoft . com (Peter Ford)
Cc:	Firewalls @ GreatCircle . COM (Firewalls Mailing List)
In-reply-to:	<8D8EF175E72CD111805800805F3198EE1A5697 @ RED-MSG-46 . dns . microsoft . com> from "Peter Ford" at Oct 14, 97 08:38:47 pm

In some mail from Peter Ford, sie said:
> 
> 	
> 
> How many firewalls out there are looking at TCP traffic and
> dropping/blocking packets with TCP options set?

So far, there aren't any TCP header options which pose a threat to
security, so one might argue there is no reason to check them for
flagging a packet to drop.  But I wouldn't put it past a firewall to
check that the TCP options present are recognised - an interesting
place to put a covert channel :)  However, all proxy firewalls will
interpret TCP header options locally and the other connection made
by the proxy is not likely to reflect the originator (so far as TCP
options go) and this is quite valid.  You may get lucky with the
window size but that is constrained by the host's operating system.

But I wouldn't go adding new, undocumented TCP header options just
because you can (and get away with it), expecting them to work.

Darren

Follow-Ups:

Re: TCP options and firewalls1
From: Oliver Friedrichs <oliverf @ silence . secnet . com>

References:

TCP options and firewalls
From: Peter Ford <peterf @ microsoft . com>

Indexed By Date	Previous:	NAT on IBM SNG. From: STEVE . CONNOLLY @ arpstl-emh2 . army . mil
Indexed By Date	Next:	(none) From: PHuffman11 @ aol . com
Indexed By Thread	Previous:	TCP options and firewalls From: Peter Ford <peterf @ microsoft . com>
Indexed By Thread	Next:	Re: TCP options and firewalls1 From: Oliver Friedrichs <oliverf @ silence . secnet . com>