At 10:28 09/11/01 +0530, Kshitij Gunjikar wrote: >Hi ALL, > I have a question. Can we process IP options in packet before we send it >to a firewall and NAT? > >If we see code for IP(ip_input.c) FreeBSD you notice that we check the >checksum and then send the packet for firewalling and NAtting. Is it >possible or correct to process IP options before firewalling or NAT.
if you continue checking ip_input.c, you'll see that option processing (ip_dooptions) can forward the packet without getting back to ip_input (there's a call to ip_forward()). so this would make the code more complex. Now even if things were different (suc as ip_dooptions() having other args to state where the packet must be sent, instead of forwarding it directly), some IP options are a security problem and it is desirable to let firewaling code handle them. an example is source routing which is generally prohibited by firewalls. cheers, mouss _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
