Options
blocking ip fragments
I am unable to block ip fragments using the IOS zone based firewall.
Traditional ACLs applied inbound on an interface still block ip fragments. Route-maps applied on an interface can still detect and manipulate fragments. But when an ACL is used in a zone based policy-map.. The IOS just allows the fragment in. I can't block a fragment using a policy-map...
ip access-list extended frag-acl
permit ip any any fragments
deny ip any any
class-map type inspect match-all frag-class
match access-group name frag-acl
policy-map type inspect wan-to-lan-policy
class type inspect frag-class
drop
class class-default
drop
zone-pair security wan-to-lan source wan destination lan
service-policy type inspect wan-to-lan-policy
With these commands, any initial or non-initial fragment has a golden ticket to bypass the firewall. Non-fragments get blocked as expected by the class-default. any suggestions?
Traditional ACLs applied inbound on an interface still block ip fragments. Route-maps applied on an interface can still detect and manipulate fragments. But when an ACL is used in a zone based policy-map.. The IOS just allows the fragment in. I can't block a fragment using a policy-map...
ip access-list extended frag-acl
permit ip any any fragments
deny ip any any
class-map type inspect match-all frag-class
match access-group name frag-acl
policy-map type inspect wan-to-lan-policy
class type inspect frag-class
drop
class class-default
drop
zone-pair security wan-to-lan source wan destination lan
service-policy type inspect wan-to-lan-policy
With these commands, any initial or non-initial fragment has a golden ticket to bypass the firewall. Non-fragments get blocked as expected by the class-default. any suggestions?