Re: [m0n0wall-dev] Blocking incoming packets with IP Options

From:	Bjoern Euler <lists at edain dot de>
To:	MonoWall-Developers List <m0n0wall dash dev at lists dot m0n0 dot ch>
Cc:	Dinesh Nair <dinesh at alphaque dot com>
Subject:	Re: [m0n0wall-dev] Blocking incoming packets with IP Options
Date:	Tue, 24 Oct 2006 17:32:51 +0200

On 24.10.2006 11:30 Dinesh Nair wrote:
> One reason for using this rule may be that in most cases applications 
> don't use it, especially the source routing features.
>
> however, multicasting applications use it, and when m0n0wall is used 
> as a router, this rule effective denies multicasting apps traffic.
>
> one suggestion would be to include an option to turn off this default 
> rule being added in the webGUI. is this acceptable ?
>
When disabling that rule completly one would allow ipopts not only for 
multicast traffic but for all IP packets. This may not be desirable.
What about adding the filter needed for those multicast apps in between 
the "# block short packets" and "# block IP options" rules. Additionally 
those could be configurable.
Like that:

rootfs-1.23b1\etc\inc\filter.inc:
*snip*
# block short packets
block in $log quick all with short

 
if (isset($config['filter']['multicast']) {
  # Allow multicast IGMP
  pass in quick from any to 224.0.0.0/4 /* Of course there may be more 
rules needed or ipopts could be specified*/
  pass out quick from any to 224.0.0.0/4
}
 
# block IP options
block in $log quick all with ipopts
*snip*

Maybe a packettrace of the app you are using could help?

Regards
-Bjoern