I would like to block icmp traffic with packet size of exactly equal
to 72 bytes and 92 bytes while allowing other icmp traffics.
According to Nokia resolution 3131, I just create a user-define
service, under the match box, put in the following: "icmp, ip_len =72".
I also create another user-define service and do the same thing
for the 92 bytes. Create a rule and drop these traffics.
The problem is that when I initiate icmp traffic with packet length
of 72 bytes (ping -s 72 x.x.x.x), the firewall drops this traffic
but not the 92 bytes icmp traffic (ping -s 92 x.x.x.x).
I am running NG with AI R55W and HFA-02. Has anyone run into
a similar problem like this one?
cisco4ng
P.S. With Cisco IOS, I can perform this in like 1 minute .
route-map DROP permit 10
match ip add ICMP
match length 72 72
set interface nul 0
route-map DROP permit 10
match ip add ICMP
match length 92 92
set interface nul 0
ip access-list extended ICMP
permit icmp any any
---------------------------------
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
