Configuring Packet Filter To Filter Fragments - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
Table 6-3 Apply ACL on the interface
Specify the rule of filtering transmitting
and receiving packets in the interface
Remove the rule of filtering transmitting
and receiving packets in the interface
You can only use the parameter outbound for interface-based ACL (ACL 1000 to
1999).
The match-fragments keyword can be applied to advanced ACLs only. For
information about how to configure packet filter to filter fragments, refer to section 6.2.4

"Configuring Packet Filter to Filter Fragments".

The standard matching is used by default.
6.2.4 Configuring Packet Filter to Filter Fragments
The following are the configuration tasks for filtering fragments based on source
address and/or time range information:
Configure a basic ACL
Apply the basic ACL on the interface
The following are the configuration tasks for filtering fragments based on layer 4
information:
Configure an advanced ACL
Enable packet filter fragment inspection
Configure the upper/lower threshold of fragment inspection (optional)
Apply the advanced ACL on the interface
I. Configuring an ACL
To filter non-first fragments only, you must specify the fragment keyword in the rule
command used for configuring a basic or advanced ACL.
Operation
3Com Corporation
6-7
Chapter 6 Firewall Configuration
Command
firewall packet-filter
{ inbound |
[ match-fragments
exactly } ]
undo firewall packet-filter acl-number
{ inbound | outbound }
acl-number
outbound }
{ normally |