يمكنك أيضا إستخدام emb_lim مع الأمر Static في PIX أو ASA
Specifies the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections.
The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The PIX firewall accomplishes TCP intercept functionality using SYN ****ies.
Note This option does not apply to outside NAT. The TCP intercept feature applies only to hosts or servers on a higher security level. If you set the embryonic limit for outside NAT, the embryonic limit is ignored.
طريقة عمل الأمر Static مع emb_lim
For static NAT:
static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask] | access-list access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp udp_max_conns] [norandomseq [nailed]]
no static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask] | access-list access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp udp_max_conns] [norandomseq [nailed]]
For static PAT:
static (real_ifc,mapped_ifc) {tcp | udp} {mapped_ip | interface} mapped_port {real_ip real_port [netmask mask] | access-list access_list_name} [[tcp] max_conns [emb_lim]] [udp udp_max_conns] [norandomseq [nailed]]
no static (real_ifc,mapped_ifc) {tcp | udp} {mapped_ip | interface} mapped_port {real_ip real_port [netmask mask] | access-list access_list_name} [[tcp] max_conns [emb_lim]] [udp udp_max_conns] [norandomseq [nailed]]
رد مع اقتباس
المفضلات