Um.. both those answers are wrong. Bit 2 is SYN not FIN. I hope this wasn't from my workbook ;)
A mask of 0x0 makes sure that they are exactly as you specify Looking at the mask of 0x3D, we can equate this to a binary value of 61 or 0011|1101. So that will always match on the 2 bit but can or cannot match on the 1 bit. I think you guys are misunderstanding the question and it is meant to be matching on the SYN bit. Otherwise with the example you have given FIN can be on or off but it is not always on or always off. But taking into account this is meant to be SYN the SYN bit will always be on with the mask provided. Using the mask option allows to always match SYN but you can also match SYN-ACK or a SYN-FIN, which is illegal, etc. If you wanted to match on FIN you would have something like control-bit eq 1 mask 0x3E That mask is 0011|1110. Meaning that the 1 bit must always be a one. Here is the link to the configuration example you guys are probably referring to. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd803936f6.html Search for TCP control bits. It will have the example in there. Here is the Layout 15 - FIN 14 - SYN 13 - RST 12 - PSH 11 - ACK 10 - URG 9 - ECE 8 - Congestion Window Reduced CWR The flags field is 2 bytes It is read top to bottom So FIN is bit 1 SYN bit 2 Etc Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Bruno Sent: Tuesday, August 24, 2010 1:53 PM To: Vybhav Ramachandran Cc: OSL Security Subject: Re: [OSL | CCIE_Security] "mask" keyword in FPM The use of the mask is to ensure that bit 2 is the only bit inspected. Let me try this. Supposing you wanted to match all connection entering your device. To do that you have to make sure that SYN bit is set and ACK bit NOT set. If you only see the bit SYN set but no inspect the ACK bit, it could be a new connection entering or a connection being acked initiated from inside that is receiving its ACK now. So, with mask you can make sure that each bit is the way you want they are On Tue, Aug 24, 2010 at 1:49 PM, Vybhav Ramachandran <[email protected]> wrote: Oh sorry..my bad :) Ok, but what's the use of the "mask " keyword. Thanks and Cheers, TacACK -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
