Reg. blocks for database size in Frag guard of PIX
I need to enable frag guard in PIX Firewall however i am not understanding the concept of database size in it
The following is mentioned in the Cisco pdf regarding the same however i have not understood the "block" concept
Setting the database-limit of the size option to a large value can make the PIX Firewall more vulnerable to a DoS attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks in the 1550 or 16384 pool
Also my current setting is default i.e 200.Please recommend if should lower this value or not
Re: Reg. blocks for database size in Frag guard of PIX
FragGuard and virtual reassembly is a feature that provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. Virtual reassembly is currently enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies, especially those caused by a teardrop attack.The sysopt commands let you tune various PIX Firewall security and configuration features. In addition, you can use this command to disable the PIX Firewall IP Frag Guard feature. It is fine to use the default setting on 200 and this will work fine.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...