06-16-2003 09:12 PM - edited 03-09-2019 03:41 AM
I was sitting here just reading about some stuff about CBAC this is what it said.
The following example causes the software to start deleting half-open sessions when more than 1000 session establishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer than 950 session establishment attempts have been detected in the last minute:
ip inspect one-minute high 1000
ip inspect one-minute low 950
my question is what is a half-opened session? also is the ip inspect name mynamedlist fragment specify packet fragmentation due to MTU or is that for something else?
thanks for clearing up my questions!
06-16-2003 10:04 PM
Hi
Half Open Session-- is a session which is not complete. For tcp this means, that it has not reached the established state. For udp, this means that the firewall has detected trafic in one direction only (for a period of time)
The ip inspect for fragment is to drop any fragments which the firewall has seen before it saw the initial fragments of that packet.
Fragmentation can occur because of having to pass through different networks of differnt MTU's or when there is a frag attack.
.
The inspect is used for preventing frag attacks ,i.e when you are sure that your regular traffic (fragmented) does not come out of order.
Thanks
Nisha
06-16-2003 10:12 PM
again I thank you for your response. You've been a great help. all the little pieces are coming together now. one more quick quesiton. could you help put this in perspective for me? for example if you have a 256kb line that could vary in traffic saturation what would you choose to pick for a fragment max? how often would they happen? and also would there be a way to find out? somewhere on the router? well i'm all out of quesitons now...2:13am....
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide