Firewalls: Re: cisco access list quest -- IP options and tiny frags

Firewalls
(June 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: cisco access list quest -- IP options and tiny frags
From:	Michel Lavondes <lavondes @ tidtest . total . fr>
Date:	Mon, 24 Jun 1996 13:00:47 +0100
To:	Chris Kostick <ckostick @ csc . com>
Cc:	"'firewalls @ greatcircle . com'" <firewalls @ greatcircle . com>
In-reply-to:	Your message of "Fri, 21 Jun 1996 17:17:55 EDT."

In message <01BB5F95 .
 96C6D700 @
 ckostick .
 sed .
 csc .
 com>, Chris Kostick writes:
> I tried this on the cisco newsgroup with no response. I thought
> some bright person on this list would know.
> 
> I want to be able to have an access list rule that will prevent
> packets with IP options from going through the router. Is there
> a way of doing this? If it's specific to a particluar IOS then please
> let me know.
> 
> As a follow-up, I'm interested in eliminating tiny fragments. I.e.
> ones where the Fragment Offset = 1. How can I do this in an access
> list? Thanks for any info.
> 
This is probably (related to) what the cisco advisory of about 1 year
ago was about. I think recent IOS versions do more or less what you
want automagically, but without something official from cisco saying
how exactly they handle dubious fragments, there's no way to be sure.

I hate STO

Michel Lavondes (lavondes @
 tidtest .
 total .
 fr)
#include <disclaimer.h>
Governments are guilty until proved innocent

Indexed By Date	Previous:	CIFS - To Firewall or not to Firewall ? From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Date	Next:	-No Subject- From: Warren Moore <warren . moore @ cbis . com>
Indexed By Thread	Previous:	cisco access list quest -- IP options and tiny frags From: Chris Kostick <ckostick @ csc . com>
Indexed By Thread	Next:	Brent re firewalls mailing list From: Cynthia Deno <cynthia @ usenix . ORG>