< Home

firewall defend ip-fragment enable

Function

The firewall defend ip-fragment enable command enables the IP fragment attack defense.

The undo firewall defend ip-fragment enable command disables the IP fragment attack defense.

Format

firewall defend ip-fragment enable

undo firewall defend ip-fragment enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the IP fragment attack defense is disabled.

After IP fragment attack defense is enabled, a FW discards the packets and logs attacks in any of the following cases:
  • The DF and MF flag bits are both 1.
  • The DF flag bit is 1, and the fragment offset exceeds 0 bytes.
  • The DF flag bit is 0, and the total of the fragment offset and the length fields exceeds 65535 bytes.

Example

# Enable the IP fragment attack defense.

<sysname> system-view
[sysname] firewall defend ip-fragment enable
Parent Topic: Single-Packet Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >