[j-nsp] Sylog port filtering

Julian Eccli je at juniper.net
Thu Apr 10 20:36:19 EDT 2003 

Hendro,

Put term 12 before term 9 and see if it works as expected.

Right now you "count" and "accept" everything with term 9 since it matches all udp traffic before it even gets to term 12.  The order of your terms matters.

I assume you also want to police UDP traffic, so you should add "policer udp-250k" in the then clause in term 9 for this action to take effect.


-Julian

**************************
Julian Eccli, JNCIE-M #32
Juniper Networks, JTAC
www.juniper.net
**************************

> -----Original Message-----
> From: hhadiwinoto at hotpop.com [mailto:hhadiwinoto at hotpop.com]
> Sent: Thursday, April 10, 2003 7:15 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Sylog port filtering
> 
> 
> Hi all,
> 
> In regards to block sylog(514)/udp port to prevent 
> sylog-flood attack, I
> did some filtering on my m-series as below,
> 
> 
> Configure firewall filtering 
> ============================
> firewall {
>     policer udp-250k {
>         if-exceeding {
>             bandwidth-limit 250k;
>             burst-size-limit 25k;
>         }
>         then discard;
>     filter inbound-filter {
>         term 9 {
>             from {
>                 protocol udp;
>             }
>             then {
>                 count policer-udp-250k;
>                 accept;
>             }
>         }
>         term 12 {
>             from {
>                 protocol udp;
>                 destination-port syslog;
>             }
>             then {
>                 reject;
>             }
>         }
> 
> Apply in specific interface
> ==========================
> ds3-0/2/0 {
>         unit 0 {
>             family inet {
>                 filter {
>                     input inbound-filter;
>                 }
>                 address x.y.z.250/30;
>             }
>         }
>     
> 
> after I applied this filter, I did port-scan my router  by 
> using nmap-3.20
> and found...
> 
> 
> C:\boljug\nmap\nmap-3.20>nmap -sU x.y.z.250
> 
> Starting nmap 3.20 ( www.insecure.org/nmap ) at 2003-04-09 
> 01:29 SE Asia
> Standard Time
> Interesting ports on x.y.z.250:
> (The 1469 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 514/udp    open        syslog 
> Nmap run completed -- 1 IP address (1 host up) scanned in 
> 31.516 seconds
> 
> I m really not sure whats wrong with my m-series or nmap using stealth
> probes-technique so it can bypass the firewall filtering or 
> need to apply
> this filter on my RE ? Please advise.
> As addition I use Junos 5.6R1.
> 
> 
> Any helps/comments really apreciated.
> 
> 
> Regards
> Hendro
> 
> 
> --------------------------------------------------------------------
> mail2web - Check your email from the web at
> http://mail2web.com/ .
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list