Actually Cisco has remedied this in the newer version of IOS. The packet is
reassembled and forwarded or drop based on the filter.
> -----Original Message-----
> From: Joao Carlos Cascao [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, October 04, 1999 7:57 AM
> To: Firewalls mailing list
> Subject: Re: Router ACL's
>
> At 00:37 03-10-1999 -0700, Bill Fox wrote:
> >
> (snip)
> >The reason I'm asking these 'goofy' questions is that I'm finding certain
> >(inbound) IP's that are somehow penetrating my router's ACL's, and I'm
> not
> >exactly sure how.
>
> I read somewhere that non-first IP fragment packets always get through
> cisco ACL's.
>
> Only the first fragment contains header information from higher level
> protocols
> (like TCP and UDP) that is used by ACL's to perform packet filtering. All
> the
> subsequent fragments contain the IP header (with src and dest IP's) and
> data to
> be reassembled provided you have the 1st packet.
>
> >I see denial counts on the ACL logs in the router, yet the
> >firewall logs verify that some of these (supposedly blocked) IP's are
> making
> >it to the firewall itself before being dropped. How?
> >--Bill
> >
>
> If the first packet never got through (blocked by ACL) the others will be
> fairly harmless but can be used for some sort of denial of service
> attacks.
>
>
> Maybe someone else can comment on this. I'm not an expert so I may be
> talking nonsense.
>
>
> J.Cascao
>
> /-----------------------------+----------------------------\
> |Joao Carlos Cascao | |
> |Tel: 351-33-900152 | |
> |Dpt. Sistemas de Informacao | mailto:[EMAIL PROTECTED] |
> |----------------------------------------------------------|
> | SOPORCEL, Sociedade Portuguesa de Papel - S.A. |
> | Figueira da Foz PORTUGAL |
> \----------------------------------------------------------/
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
