How about : ### don't accept source routed packets /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
I keep meaning to do some testing with this but have not had the bandwidth. Just wondering if anyone else actually has.
I would expect the above would work fine with strict source routing, but I'm not so sure about loose source routing unless the firewall was one of the defined jump points.
For example, let's say I know you "trust" some IP address on the Internet and permit a greater level of access from it to one of your internal systems. I craft the following packet:
source IP = mine Dest IP = "trusted" Internet host First byte of IP options = 83 IP in options field = your internal server
In this case none of the IPs are the firewalls so I'm not so sure accept_source_route would even be referenced. Does the kernel check the size of all IP headers and process the included options even if its not the destination IP? I would think it would not for efficiency, but then again it might to deal with things like option 7 (record route).
Has anyone tested this either way?
Thanks in advance! Chris
