Date: Fri, 23 Feb 2001 23:56:11 +0100 From: Jesper Skriver <jesper@skriver.dk> To: Adrian Penisoara <ady@warpnet.ro> Cc: freebsd-isp@freebsd.org Subject: Re: Serial synchronous card for FreeBSD ? Message-ID: <20010223235611.B22607@skriver.dk> In-Reply-To: <Pine.BSF.4.10.10102231036070.77961-100000@ady.warpnet.ro>; from ady@warpnet.ro on Fri, Feb 23, 2001 at 10:41:04AM %2B0200 References: <Pine.BSF.4.10.10102231036070.77961-100000@ady.warpnet.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 23, 2001 at 10:41:04AM +0200, Adrian Penisoara wrote: > Hi, > > We are subject of many aggresive fragments attacks and we cannot filter > them out (because use use a Cisco CPA2509 to branch to our sattelite > antenna -- is seems that there is _no_ version of Cisco IOS able to filter > out _only_ fragment packets). Not what you asked, but girlpower(config)#access-list 100 deny tcp any any ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value urg Match on the URG bit <cr> girlpower(config)#access-list 100 deny tcp any any fragments ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value urg Match on the URG bit <cr> girlpower#sh ver Cisco Internetwork Operating System Software IOS (tm) 1600 Software (C1600-NOSY-M), Version 12.1(2)T, RELEASE SOFTWARE (fc1) /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: FreeBSD committer @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010223235611.B22607>