Re: Firewall-Wizards Digest V1 #311

[Kevin Steves <stevesk () sweden hp com>]

On Thu, 3 Jun 1999, Ryan Russell wrote:
: >Why not simply check the data field for the SR tag? A real proxy should
: >be unable to forward traffic (source routed or not) without proxy
: >intervention.
: 
: Those types of things get stripped off before the daemon gets
: the data, no?  Doesn't all the interesting info below layer 4 get
: "eaten" by the OS by the time an app using sockets gets
: it?

The rshd with RedHat 6.0 does this:

        if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) &&
            optsize != 0) {
                lp = lbuf;
                for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
                        sprintf(lp, " %2.2x", *cp);
                syslog(LOG_NOTICE,
                    "Connection received from %s using IP options (ignored):%s",
                    inet_ntoa(fromp->sin_addr), lbuf);
                if (setsockopt(0, ipproto, IP_OPTIONS,
                               NULL, optsize) != 0) {
                        syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
                        exit(1);
                }
        }

Nulling the options seems broken--though I'm unclear on the exact
semantics.  I think it should instead refuse (close) the connection.  
It seems from this point I could attempt to blind spoof since I've seen
the ISN in the SYN,ACK.