Fragment control in access-lists.

From: Matt White (mwhite23@gmail.com)
Date: Thu Mar 03 2005 - 12:43:05 GMT-3

• Next message: Matt White: "Re: Please confirm (conf#f1d4ca3ccbd582a48c8628bde2082c8b)"
• Previous message: kwok ida: "Some frustration my attempt on yesterday 28- Feb"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

According to the example on the Doc CD (link below), that in order to
deny fragments to, say, a web server, you initially need to deny
fragments to everything then permit 80 in.

Can someone explain why you cannot initially deny fragments to just
port 80, or am I just completely off base here?

Thanks.

!
access-list 101 deny ip any host 1.1.1.1 fragments
access-list 101 permit tcp any host 1.1.1.1 eq 80
access-list 101 deny ip any any
!

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfip.htm#1129413

• Next message: Matt White: "Re: Please confirm (conf#f1d4ca3ccbd582a48c8628bde2082c8b)"
• Previous message: kwok ida: "Some frustration my attempt on yesterday 28- Feb"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:39 GMT-3