SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 274
Case 4: Packets from interfaces without a configured policy class to other interfaces
without a configured policy class
This traffic is routed normally. The ip firewall command has no effect on this traffic.
Attack Protection:
When the ip firewall command is enabled, firewall attack protection is enabled. The Secure Router OS
blocks traffic (matching patterns of known networking exploits) from traveling through the device. For some
of these attacks, the user may manually disable checking/blocking while other attack checks are always on
anytime the firewall is enabled.
The table (on the following pages) outlines the types of traffic discarded by the Firewall Attack Protection
Engine. Many attacks use similar invalid traffic patterns; therefore attacks other than the examples listed
below may also be blocked by the firewall. To determine if a specific attack is blocked by the Secure Router
OS firewall, please contact technical support.
Invalid Traffic Pattern Manually
Enabled?
OS Firewall Response Common
Attacks
Larger than allowed packets No Any packets that are longer than those
defined by standards will be dropped.
Ping of Death
Fragmented IP packets that
produce errors when attempting
to reassemble
No The firewall intercepts all fragments for an IP
packet and attempts to reassemble them
before forwarding to destination. If any
problems or errors are found during
reassembly, the fragments are dropped.
SynDrop,
TearDrop,
OpenTear,
Nestea, Targa,
Newtear, Bonk,
Boink
Smurf Attack No The firewall will drop any ping responses that
are not part of an active session.
Smurf Attack
IP Spoofing No The firewall will drop any packets with a
source IP address that appears to be
spoofed. The IP route table is used to
determine if a path to the source address is
known (out of the interface from which the
packet was received). For example, if a
packet with a source IP address of
10.10.10.1 is received on interface fr 1.16
and no route to 10.10.10.1 (through interface
fr 1.16) exists in the route table, the packet is
dropped.
IP Spoofing
ICMP Control Message Floods
and Attacks
No The following types of ICMP packets are
allowed through the firewall: echo,
echo-reply, TTL expired, dest. Unreachable,
and quench. These ICMP messages are
only allowed if they appear to be in response
to a valid session. All others are discarded.
Twinge
Comments to this Manuals