Re: [m0n0wall-dev] Blocking incoming packets with IP Options

From:	Bjoern Euler <lists at edain dot de>
To:	MonoWall-Developers List <m0n0wall dash dev at lists dot m0n0 dot ch>
Cc:	Dinesh Nair <dinesh at alphaque dot com>
Subject:	Re: [m0n0wall-dev] Blocking incoming packets with IP Options
Date:	Tue, 17 Oct 2006 19:23:19 +0200

On 15.10.2006 17:34 Dinesh Nair wrote:
> this line currently blocks IGMP multicast packets, so i've succesfully
> removed it from filter.inc.
I'd suggest to follow step 4 and 5 in the link below to only allow IGMP 
and block all other IP packets with ip opts:
<http://m0n0.ch/wall/list-dev/showmsg.php?id=3/51>

> hower, my reason for this email is to check why incoming packets with IP
> options are blocked by default, and what implications have i opened up by
> removing this rule ? or rather, what was the reasoning behind adding 
> this rule in ?
> 
This rule is also used in the freebsd handbook (1) together with some 
other "different nasty things"
One reason for using this rule may be that in most cases applications 
don't use it, especially the source routing features.
Another that applications can define own options to carry out features 
that you would not allow through a firewall.

But I'm sure someone deeper into firewalling will explain it better.

Regards
-Björn

(1)
<http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html>