ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network
Packet
all ICMP packets except:
• echo
• echo-reply
• ttl expired
• destination unreachable
• quench
falsified IP header (the length bit does not match
the actual length)
UDP echo packets
source address equals the destination address
broadcast address is the same as the source
address
TCP SYN packets with one or more of these
flags:
• ACK
• URG
• RST
• FIN
invalid TCP sequence number
source route option is enabled
You cannot force the router to accept any of these packets.
Enabling and Disabling Optional Attack Checks
You enable the Secure Router OS firewall to check for optional attacks with
this command:
Syntax: ip firewall check [winnuke | syn-flood | reflexive-traffic]
Use the winnuke option to have the firewall drop TCP packets with the URG
flag set. This blocks:
the WinNuke attack
the TCP Xmas scan
Configuring Attack Checking
Associated Attack
Twinge
• Jolt
• Jolt2
• Chargen
• Fraggle
Land attack
—
—
—
—
4-15