[j-nsp] Sylog port filtering
hhadiwinoto at hotpop.com
hhadiwinoto at hotpop.com
Thu Apr 10 23:15:20 EDT 2003
Hi all,
In regards to block sylog(514)/udp port to prevent sylog-flood attack, I
did some filtering on my m-series as below,
Configure firewall filtering
============================
firewall {
policer udp-250k {
if-exceeding {
bandwidth-limit 250k;
burst-size-limit 25k;
}
then discard;
filter inbound-filter {
term 9 {
from {
protocol udp;
}
then {
count policer-udp-250k;
accept;
}
}
term 12 {
from {
protocol udp;
destination-port syslog;
}
then {
reject;
}
}
Apply in specific interface
==========================
ds3-0/2/0 {
unit 0 {
family inet {
filter {
input inbound-filter;
}
address x.y.z.250/30;
}
}
after I applied this filter, I did port-scan my router by using nmap-3.20
and found...
C:\boljug\nmap\nmap-3.20>nmap -sU x.y.z.250
Starting nmap 3.20 ( www.insecure.org/nmap ) at 2003-04-09 01:29 SE Asia
Standard Time
Interesting ports on x.y.z.250:
(The 1469 ports scanned but not shown below are in state: closed)
Port State Service
514/udp open syslog
Nmap run completed -- 1 IP address (1 host up) scanned in 31.516 seconds
I m really not sure whats wrong with my m-series or nmap using stealth
probes-technique so it can bypass the firewall filtering or need to apply
this filter on my RE ? Please advise.
As addition I use Junos 5.6R1.
Any helps/comments really apreciated.
Regards
Hendro
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
More information about the juniper-nsp
mailing list