> From firewalls-owner @
GreatCircle .
COM Fri Mar 24 08:55 EST 1995
> From: paul @
hawksbill .
sprintmrn .
com (Paul Ferguson)
> Subject: Re: Filtering TCP establish
> To: harrison @
wellfleet .
com .
au (Peter Harrison)
> Date: Fri, 24 Mar 1995 08:17:39 -0500 (EST)
> Cc: firewalls @
GreatCircle .
COM (Firewalls List)
>
>
>
> > > Trick question: How simple (or difficult) is this for the 'average'
> > > user to accomplish on a Wf 7.x+ router?
> >
> > Well, it's certainly not as simple as appending the text 'established' to a
> > command string. But this is exactly the area where we are seeing improvements
> > in the configuration interface.
> >
> > To answer your question directly, you currently need to know the offset of the
> > ACK bit in the TCP header. Given that this 107 bits from the end of the IP
> > header, you would select the following options within the Configuration Manager
> > traffic filter menu:
> >
> > Protocol: TCP
> > Header: After Network
> > Offset: 107
> > Length: 1
> > Range: 0x1
> >
> > As I said, somewhat more complex than a simple keyword, but you can apply the
> > same method to filter anything, anywhere in a packet. The power is provided
> > from the outset; the ease of use, unfortunately, only comes after being beaten
> > up by people who become frustrated with not being able to harness the
> > power..... :-)
> >
>
>
> Given that this may be construed as somewhat 'obscure' by 'average'
> users of Wf routers, it is by no means simple.
>
> In the same vein, how would go about blocking all loose-source routed
> IP traffic on a particular interface?
>
> - paul
>
> _______________________________________________________________________________
> Paul Ferguson
> US Sprint tel: 703.689.6828
> Managed Network Engineering internet: paul @
hawk .
sprintmrn .
com
> Reston, Virginia USA http://www.sprintmrn.com
>
|
|
