From: Jay Greenberg (jgreenberg@execulink.com)
Date: Tue Jul 27 2004 - 16:25:24 GMT-3
If you're asking whether or not you can only allow http fragments, the
answer is no. The whole problem with IP fragments is that there is no
layer 4 data (in this case, tcp port).
-- Jay Greenberg, CCIE #11021Expert-Labs.com has $10 CCIE Rack Sessions! ATM LS1010, 2x3550, ISDN, Voice 100% Automated - Get on today
On Tue, 2004-07-27 at 14:46, gladston@br.ibm.com wrote: > The following list is from a Cisco example. > > access-list 101 deny ip any host 1.1.1.1 fragments > access-list 101 permit tcp any host 1.1.1.1 eq 80 > access-list 101 deny ip any any > > If a host is accessing server 1.1.1.1 and the communication needs to send fragmented packet, it will not work, right? > > Would it have a better solution, that allows fragments in this case (http to 1.1.1.1) and block others fragments? > If I got it right, there is no way to detect if a fragment belongs to the http session. > > _______________________________________________________________________ > Please help support GroupStudy by purchasing your study materials from: > http://shop.groupstudy.com > > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:12:04 GMT-3