quoting <http://www.openbsd.org/faq/pf/filter.html>
<quote>
IP Options
By default, PF blocks packets with IP options set. This can make the job
more difficult for "OS fingerprinting" utilities like nmap. If you have
an application that requires the passing of these packets, such as
multicast or IGMP, you can use the allow-opts directive:
pass in quick on fxp0 all allow-opts
</quote>
Am I correct in thinking that this line effectively passes *all* traffic
in on fxp0 with no more checking because of the 'quick' option?
One of our network folk was trying to get multicast working and found
mention of 'allow-opts' and being necessary. Found this in the FAQ and
naively cut and pasted it into our production rule set. A couple of
hours later we found that we had half a dozen unpatched SQL servers on
campus :(
Surely in the context of the FAQ this rule should not have quick so that
subsequent block rules will take effect.
Please note I'm not blaming the FAQ for what happened to us. I'm
perfectly clear that it is *our* responsibility to make sure we
understand the consequences of the changes we make to our rule sets and
that anyone who cut and pastes stuff without being quite sure that they
understands what they are doing deserves what they get :) Sigh....
Russell
