Filtering IP Packets that Use the IP Header Options Field

In addition to containing 32-bit source IP address and destination IP address fields, IP packets also contain an options field. This field can be used for the following purposes:

Although the NetWare TCP/IP stack does not process these options, it can be a security risk to forward packets with these options specified. In particular, the source routing option can force all packets that are routed from your network to be forwarded to an untrustworthy host in the public network.

When you install Novell BorderManager 3.8 firewall/caching services, a server SET command is automatically enabled to drop packets with IP header options enabled.

To view the current setting for your server, complete the following steps:

  1. At the server console, enter

    SET

  2. Select option 1 (Communications).

  3. Verify that the SET command displays as

    SET FILTER PACKETS WITH IP HEADER OPTIONS = ON

It is best not to change the default setting, but under certain circumstances you might need to turn this setting off. For example, you could use the source routing option to specify the routers that must handle the traffic from your network.

IMPORTANT:  Because routers often do not support IP header options, be sure to verify the capability of your routers before disabling the filtering to perform such tests.

To disable the filtering of packets that use IP header options from the server console, enter

SET FILTER PACKETS WITH IP HEADER OPTIONS = OFF

To re-enable the filtering from the server console, enter

SET FILTER PACKETS WITH IP HEADER OPTIONS = ON