From owner-freebsd-isp Fri Feb 23 14:56:16 2001 Delivered-To: freebsd-isp@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 7353637B4EC for ; Fri, 23 Feb 2001 14:56:12 -0800 (PST) (envelope-from jesper@skriver.dk) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 8B08E3E6B; Fri, 23 Feb 2001 23:56:11 +0100 (CET) Date: Fri, 23 Feb 2001 23:56:11 +0100 From: Jesper Skriver To: Adrian Penisoara Cc: freebsd-isp@freebsd.org Subject: Re: Serial synchronous card for FreeBSD ? Message-ID: <20010223235611.B22607@skriver.dk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ady@warpnet.ro on Fri, Feb 23, 2001 at 10:41:04AM +0200 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Feb 23, 2001 at 10:41:04AM +0200, Adrian Penisoara wrote: > Hi, > > We are subject of many aggresive fragments attacks and we cannot filter > them out (because use use a Cisco CPA2509 to branch to our sattelite > antenna -- is seems that there is _no_ version of Cisco IOS able to filter > out _only_ fragment packets). Not what you asked, but girlpower(config)#access-list 100 deny tcp any any ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value urg Match on the URG bit girlpower(config)#access-list 100 deny tcp any any fragments ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value urg Match on the URG bit girlpower#sh ver Cisco Internetwork Operating System Software IOS (tm) 1600 Software (C1600-NOSY-M), Version 12.1(2)T, RELEASE SOFTWARE (fc1) /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: FreeBSD committer @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message