Firewall Wizards mailing list archives
Re: Dealing with TCP options in a fw and a router
From: "Chris Kostick" <christopher.t.kostick () cpmx mail saic com>
Date: Wed, 14 Oct 1998 19:06:59 -0400
I am trying to figure out how firewalls handle TCP options , both in SYN and non-SYN segments. What about the options that they don't recognize? What's the basic policy. I found no relevant information in either PIX or FW-1 doc set.
Well first off, firewalls handle at least one-- MSS. I don't know of any TCP stack that doesn't use it which implies that many do, and firewalls generally can talk to any TCP implementation as long as it's allowed. As far as other options (NAK, big windows, SACK) are concerned, it's generally a matter of whether or not the operating system supports the option or not (for s/w based FWs). However, the beauty of an option is just that; it's an option. If it isn't negotiated between the FW and the end device then it won't be used. Now if are you asking if there any firewalls that are known to drop dead by sending a packet with a TCP option in it, then I don't know. I haven't heard of any. Others may enlighten us. -- chris
Current thread:
- Dealing with TCP options in a fw and a router Vladimir Sukonnik (Oct 14)
- <Possible follow-ups>
- Re: Dealing with TCP options in a fw and a router Chris Kostick (Oct 16)