> Can anyone point me to some info on blocking ip options? > A search of cisco's site and dejanews does not show anything. > > Hal Kuff > TESSCO Technologies IOS has support for blocking a few IP Options, including source route and IP security, however the PIX firewall seems to be the only Cisco product that appears to block the more obscure options. Darren Reed's IP Filter, (see http://newcoombs.anu.edu.au/~avalon/ for details) is a free packet filter as a loadable kernel module, runs on many Unix platforms, and is included in the current (Free|Net|Open)BSD distributions. IP Filter (ipf) can block IP Options and all short fragments. Where I have installed ipf, the ipf.rules file usually begins with: block in quick from any to any with short frag block in quick all with ipopts I usually then go on to block spoofed packets, including the RFC 1597 source addresses, and for the truly paranoid, any packets claiming the 127. network exists on other than the loopback interface. Kevin
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:06 PDT