Firewalls: Filtering on IP options -- ?

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Filtering on IP options -- ?
From:	"Andrew V. Stesin" <stesin @ elvisti . kiev . ua>
Date:	Fri, 22 Mar 1996 19:45:04 +0200 (EET)
To:	firewalls @ greatcircle . com

Dear filtering gurus,

Q.1:
suppose that due to resource shortage I'm going to combine
the functionality of internal filtering router and bastion host
in a single FreeBSD box, which has _both_ input and output
packet filtering facilities.  (See C&B p.69, fig.3.11)
Is that considered to be evil?

Q.2:
where can I get a _detailed_ explanation of what is the
recommended strategy of packet filtering depending on IP options?
What IP options are considered harmful and why?

(Electronic resourses are preferred: I have no access to books
other than C&B 1st ed., sorry :(  )

Thanks!

-- 

	With best regards -- Andrew Stesin.

	+380 (44) 2760188	+380 (44) 2713457	+380 (44) 2713560

	"You may delegate authority, but not responsibility."
					Frank's Management Rule #1.

Indexed By Date	Previous:	Re: Application proxie for NT From: "Mark E. Brandon" <mark @ toukan . com>
Indexed By Date	Next:	Java From: mcnabb @ argus . cu-online . com (Paul McNabb)
Indexed By Thread	Previous:	Re: Application proxie for NT From: "Mark E. Brandon" <mark @ toukan . com>
Indexed By Thread	Next:	[no subject] From: Mustapha Obeid <musta @ eve . info . umoncton . ca>