AW: [j-nsp] Sylog port filtering

Struck, Olaf Olaf.Struck at
Fri Apr 11 09:32:04 EDT 2003

Hi Hendro,

the term9 which rejects syslog has to occur before term12 in your firewall


-----Ursprüngliche Nachricht-----
Von: hhadiwinoto at [mailto:hhadiwinoto at]
Gesendet: Freitag, 11. April 2003 04:15
An: juniper-nsp at
Betreff: [j-nsp] Sylog port filtering

Hi all,

In regards to block sylog(514)/udp port to prevent sylog-flood attack, I
did some filtering on my m-series as below,

Configure firewall filtering 
firewall {
    policer udp-250k {
        if-exceeding {
            bandwidth-limit 250k;
            burst-size-limit 25k;
        then discard;
    filter inbound-filter {
        term 9 {
            from {
                protocol udp;
            then {
                count policer-udp-250k;
        term 12 {
            from {
                protocol udp;
                destination-port syslog;
            then {

Apply in specific interface
ds3-0/2/0 {
        unit 0 {
            family inet {
                filter {
                    input inbound-filter;
                address x.y.z.250/30;

after I applied this filter, I did port-scan my router  by using nmap-3.20
and found...

C:\boljug\nmap\nmap-3.20>nmap -sU x.y.z.250

Starting nmap 3.20 ( ) at 2003-04-09 01:29 SE Asia
Standard Time
Interesting ports on x.y.z.250:
(The 1469 ports scanned but not shown below are in state: closed)
Port       State       Service
514/udp    open        syslog 
Nmap run completed -- 1 IP address (1 host up) scanned in 31.516 seconds

I m really not sure whats wrong with my m-series or nmap using stealth
probes-technique so it can bypass the firewall filtering or need to apply
this filter on my RE ? Please advise.
As addition I use Junos 5.6R1.

Any helps/comments really apreciated.


mail2web - Check your email from the web at .

juniper-nsp mailing list juniper-nsp at

More information about the juniper-nsp mailing list