Most routers will let you select stuff starting from the start of the
TCP header, yeah. 3Com and NSC, at least, give you moderately flexible access
to arbitrary transport stuff, based on wherever the IP header ends (I doubt
that even the 3Com folks would claim their syntax is pretty, but it does
work). Everybody gets the ports out correctly, from wherever they are.
It is probably wise to heave anything with IHL != 5, unless you have
the capability of filtering out specific naughty options. NSC will let you
strip out options you don't like, while leaving ones you do in (you might
like IP security options or something, for some reason). If it has an IP
option, and it's arriving from the internet, 95% probability that someone is
being naughty, at the very least trying to Find Things Out about your
I'd say that IHL != 5 and fragment offset < 4 (or thereabouts,
4 is good enough for any attacks I know about, but 8 probably wouldn't
hurt) are darn good sanity checks for general well-formedness of IP
packets from places you don't trust pretty well.
If people are interested in NSC syntax for doing amusing things
like this, drop me a note. Doing it right is a little verbose.