HP ProCurve 7102dl Reference Manual page 398

SROS Command Line Interface Reference Guide
Case 1: Packets from interfaces with a configured policy class to any other interface
ACPs are applied when packets are received on an interface. If an interface has not been assigned a
policy class, by default it will allow all received traffic to pass through. If an interface has been assigned a
policy class but the firewall has not been enabled with the ip firewall command, traffic will flow normally
from this interface with no firewall processing.
Case 2: Packets that travel in and out a single interface with a configured policy class
These packets are processed through the ACPs as if they are destined for another interface (identical to
Case 1).
Case 3: Packets from interfaces without a configured policy class to interfaces with one
These packets are routed normally and are not processed by the firewall. The ip firewall command has no
effect on this traffic.
Case 4: Packets from interfaces without a configured policy class to other interfaces
without a configured policy class
This traffic is routed normally. The ip firewall command has no effect on this traffic.
Attack Protection:
When the ip firewall command is enabled, firewall attack protection is enabled. The SROS blocks traffic
(matching patterns of known networking exploits) from traveling through the device. For some of these
attacks, the user may manually disable checking/blocking while other attack checks are always on anytime
the firewall is enabled.
The table (on the following pages) outlines the types of traffic discarded by the Firewall Attack Protection
Engine. Many attacks use similar invalid traffic patterns; therefore attacks other than the examples listed
below may also be blocked by the firewall. To determine if a specific attack is blocked by the SROS
firewall, please contact technical support.
Invalid Traffic Pattern
Larger than allowed packets
Fragmented IP packets that
produce errors when attempting
to reassemble
5991-2114
Manually OS Firewall Response
Enabled?
No Any packets that are longer than those
defined by standards will be dropped.
No The firewall intercepts all fragments for an IP
packet and attempts to reassemble them
before forwarding to destination. If any
problems or errors are found during
reassembly, the fragments are dropped.
© Copyright 2007 Hewlett-Packard Development Company, L.P.
Global Configuration Mode Command Set
Common
Attacks
Ping of Death
SynDrop,
TearDrop,
OpenTear,
Nestea, Targa,
Newtear, Bonk,
Boink
396