----- Original Message -----
From: Kent Hundley <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; firewalls <[EMAIL PROTECTED]>
Sent: Monday, October 04, 1999 11:35 PM
Subject: RE: Router ACL's
>Bill,
>Comments imbedded:
<snips>
>Without more specific information, it's hard to give a complete answer.
>It's possible that the IP packets are non-first fragments or that
>someone is purposely using a hacking tool that crafts packets designed
>to make it through non-stateful filtering routers. (i.e. set the ACK or
>RST bit) Most cisco ACL's won't filter non-first IP fragments. You can
>enable filtering of all fragments in certain IOS versions, but it's an
>all or nothing process unless you use the Firewall Feature Set, and even
>then you'll need version 12.0.
By 'non-first' I'm assuming you mean other than SYN's? So, if non-SYN
packets are received at the (non-stateful) interface, they're not dropped,
even if the packet's IP is in the ACL? I'm still running 11.2 IOS, BTW.
Definitely in need of an upgrade <g>.
>Without knowing more about exactly what packets your seeing hit your
>firewall and what your ACL entries looks like, there's no way to give a
>more specific answer.
A typical ACL entry would be:
access-list 100 deny tcp any host xxx.xxx.xxx.xxx
The list would be assigned as 'in' on the interface.
I've tossed a 'log' onto the end for the hosts that have been punching
through, and I see logged denials. But I still see quite a few entries
from the same IP's that have made it to the firewall logs, too. That's
why I'm groping. :)
>HTH,
>Kent Hundley
Thanks Kent, & all the other list members who've dropped me tips.
--Bill
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
