cisco4ng wrote:
I would like to block icmp traffic with packet size of exactly equal
to 72 bytes and 92 bytes while allowing other icmp traffics.
According to Nokia resolution 3131, I just create a user-define
service, under the match box, put in the following: "icmp, ip_len =72".
I also create another user-define service and do the same thing
for the 92 bytes. Create a rule and drop these traffics.
The problem is that when I initiate icmp traffic with packet length
of 72 bytes (ping -s 72 x.x.x.x), the firewall drops this traffic
but not the 92 bytes icmp traffic (ping -s 92 x.x.x.x).
I think the problem may be with your test, not your rules. What
ping are you using in this test, i.e. what OS? The '-s' option,
when it is an option to specify "size," usually has something
to do with the size of the ICMP payload. In the *BSDs and Linux
(some distros), the '-s' option is usually going to be how many
bytes of data are in the echo request (the '-s' option isn't size
related in Windows or Solaris, didn't look at HPUX, AIX, etc.).
So, "-s 72" would usually mean 20 + 8 + 72 = 100 byte packet,
due to the IP and ICMP echo header lengths.
But that wouldn't make a lot of sense here. What would make sense
is if the '-s' option was the whole ICMP payload length, including
the header. Then, 20 + 72 = 92 byte packets. So the, "ping -s 72
x.x.x.x" works because it's actually being blocked by the 92
byte packet rule. Is that what is going on here?
I am running NG with AI R55W and HFA-02. Has anyone run into
a similar problem like this one?
cisco4ng
P.S. With Cisco IOS, I can perform this in like 1 minute .
route-map DROP permit 10
match ip add ICMP
match length 72 72
set interface nul 0
route-map DROP permit 10
match ip add ICMP
match length 92 92
set interface nul 0
ip access-list extended ICMP
permit icmp any any
---------------------------------
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
--
Crist J. Clark crist.clark AT globalstar DOT com
Globalstar Communications (408) 933-4387
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact postmaster AT globalstar DOT com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
