Re: Dealing with TCP options in a fw and a router

["Chris Kostick" <christopher.t.kostick () cpmx mail saic com>]

> I am trying to figure out how firewalls handle TCP options , both in SYN and
> non-SYN
> segments. What about the options that they don't recognize? What's the basic
> policy.
> I found no relevant information in either PIX or FW-1 doc set.


Well first off, firewalls handle at least one-- MSS.  I don't know of any TCP
stack that doesn't use it which implies that many do, and firewalls generally
can talk to any TCP implementation as long as it's allowed.

As far as other options (NAK, big windows, SACK) are concerned, it's generally
a matter of whether or not the operating system supports the option or not
(for s/w based FWs).  However, the beauty of an option is just that; it's an
option.  If it isn't negotiated between the FW and the end device then it
won't be used.

Now if are you asking if there any firewalls that are known to drop dead by
sending a packet with a TCP option in it, then I don't know.  I haven't heard
of any.  Others may enlighten us.
--
chris