Firewalls: Re: Filtering all IP Packets that contain options

Firewalls
(September 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Filtering all IP Packets that contain options
From:	strick -- henry strickland <strick @ versant . com>
Date:	Thu, 08 Sep 94 16:27:51 -0700
To:	smartin @ fujitsu . ca (Steve Martin)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	Your message of "Thu, 08 Sep 94 13:22:57 EDT." <9409081722 . AA17449 @ falcon . fujitsu . ca>

THUS SPAKE smartin @
 fujitsu .
 ca (Steve Martin):
# I am therefore thinking of tossing all incoming IP packets that do not
# have an IP header length of 5 words. This means that I will be tossing all
# packets that contain options. Is there a problem with this? From what I've read,

I find that only exotic things, the kinds you don't want, have ip_hl != 5.

You should do fine like that.

(However there is a TCP header option (not ip header options)
that happens on most TCP streams -- the Max Segment Size option.)

				strick

References:

Filtering all IP Packets that contain options
From: smartin @ fujitsu . ca (Steve Martin)

Indexed By Date	Previous:	dual ethernet ports From: "Tobias J. Kreidl" <tjk @ sinagua . ucc . nau . edu>
Indexed By Date	Next:	[no subject] From: Tom . Ajayebi @ Corp . Sun . COM (Tom Ajayebi)
Indexed By Thread	Previous:	Filtering all IP Packets that contain options From: smartin @ fujitsu . ca (Steve Martin)
Indexed By Thread	Next:	Filtering all IP Packets that contain options From: ingemar @ anjou . data . telia . se (Ingemar Lundqvist)