At 00:37 03-10-1999 -0700, Bill Fox wrote:
>
(snip)
>The reason I'm asking these 'goofy' questions is that I'm finding certain
>(inbound) IP's that are somehow penetrating my router's ACL's, and I'm not
>exactly sure how.
I read somewhere that non-first IP fragment packets always get through
cisco ACL's.
Only the first fragment contains header information from higher level
protocols
(like TCP and UDP) that is used by ACL's to perform packet filtering. All the
subsequent fragments contain the IP header (with src and dest IP's) and
data to
be reassembled provided you have the 1st packet.
>I see denial counts on the ACL logs in the router, yet the
>firewall logs verify that some of these (supposedly blocked) IP's are making
>it to the firewall itself before being dropped. How?
>--Bill
>
If the first packet never got through (blocked by ACL) the others will be
fairly harmless but can be used for some sort of denial of service attacks.
Maybe someone else can comment on this. I'm not an expert so I may be
talking nonsense.
J.Cascao
/-----------------------------+----------------------------\
|Joao Carlos Cascao | |
|Tel: 351-33-900152 | |
|Dpt. Sistemas de Informacao | mailto:[EMAIL PROTECTED] |
|----------------------------------------------------------|
| SOPORCEL, Sociedade Portuguesa de Papel - S.A. |
| Figueira da Foz PORTUGAL |
\----------------------------------------------------------/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
