On Thu, Feb 06, 2003 at 09:23:06PM +0100, Maik Kuendig wrote: > Can I change IP-Header Options, or filter based on them? I have not > found any point about that in the current man page, so I belive it's not > possible.
By default, pf blocks all packets with IP options. You can pass them per rule, using the 'allow-opts' keyword. Modifying IP options (removing, rewriting, adding) is not possible yet, neither is filtering on particular kinds of IP options. > Is it a good idea to filter packages, as a example with "source routing", > or is it not nessesary and I ask a stupid question? IP options are used rarely, and (unlike ICMP messages, for instance) not required for proper IP operation. I never had to use allow-opts for anything but special tests, so I'd suggest you stick with the default and only allow options on specific connections if you have to. Daniel
