RE: Fragments

From: Baety Wayne A 30 SIG BN RS3 (cn) (BaetyWA@schofield.army.mil)
Date: Tue Jul 27 2004 - 17:02:06 GMT-3

• Next message: gladston@br.ibm.com: "Re: RE: Fragments"
• Previous message: Jay Greenberg: "Re: Fragments"
• Maybe in reply to: gladston@br.ibm.com: "Fragments"
• Next in thread: gladston@br.ibm.com: "Re: RE: Fragments"
• Maybe reply: gladston@br.ibm.com: "Re: RE: Fragments"
• Maybe reply: Baety Wayne A 30 SIG BN RS3 (cn): "RE: RE: Fragments"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You could just permit the port 80 traffic before denying fragments...

Just a thought ;)

WAYNE A. BAETY, Contr, 30SIG BN
MCSE+I, MCSD, MCDBA, CCNP+Voice
Resident System Support Specialist
Office: (808) 655-6761
Cell: (808) 779-3776

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Tuesday, July 27, 2004 8:47 AM
To: ccielab@groupstudy.com
Subject: Fragments

The following list is from a Cisco example.

access-list 101 deny ip any host 1.1.1.1 fragments
access-list 101 permit tcp any host 1.1.1.1 eq 80
access-list 101 deny ip any any

If a host is accessing server 1.1.1.1 and the communication needs to send
fragmented packet, it will not work, right?

Would it have a better solution, that allows fragments in this case (http to
1.1.1.1) and block others fragments?
If I got it right, there is no way to detect if a fragment belongs to the
http session.

• Next message: gladston@br.ibm.com: "Re: RE: Fragments"
• Previous message: Jay Greenberg: "Re: Fragments"
• Maybe in reply to: gladston@br.ibm.com: "Fragments"
• Next in thread: gladston@br.ibm.com: "Re: RE: Fragments"
• Maybe reply: gladston@br.ibm.com: "Re: RE: Fragments"
• Maybe reply: Baety Wayne A 30 SIG BN RS3 (cn): "RE: RE: Fragments"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:12:04 GMT-3