AW: [j-nsp] Sylog port filtering

Struck, Olaf Olaf.Struck at lambdanet.net
Fri Apr 11 09:32:04 EDT 2003


Hi Hendro,

the term9 which rejects syslog has to occur before term12 in your firewall
filter.

/Olaf

-----Ursprüngliche Nachricht-----
Von: hhadiwinoto at hotpop.com [mailto:hhadiwinoto at hotpop.com]
Gesendet: Freitag, 11. April 2003 04:15
An: juniper-nsp at puck.nether.net
Betreff: [j-nsp] Sylog port filtering


Hi all,

In regards to block sylog(514)/udp port to prevent sylog-flood attack, I
did some filtering on my m-series as below,


Configure firewall filtering 
============================
firewall {
    policer udp-250k {
        if-exceeding {
            bandwidth-limit 250k;
            burst-size-limit 25k;
        }
        then discard;
    filter inbound-filter {
        term 9 {
            from {
                protocol udp;
            }
            then {
                count policer-udp-250k;
                accept;
            }
        }
        term 12 {
            from {
                protocol udp;
                destination-port syslog;
            }
            then {
                reject;
            }
        }

Apply in specific interface
==========================
ds3-0/2/0 {
        unit 0 {
            family inet {
                filter {
                    input inbound-filter;
                }
                address x.y.z.250/30;
            }
        }
    

after I applied this filter, I did port-scan my router  by using nmap-3.20
and found...


C:\boljug\nmap\nmap-3.20>nmap -sU x.y.z.250

Starting nmap 3.20 ( www.insecure.org/nmap ) at 2003-04-09 01:29 SE Asia
Standard Time
Interesting ports on x.y.z.250:
(The 1469 ports scanned but not shown below are in state: closed)
Port       State       Service
514/udp    open        syslog 
Nmap run completed -- 1 IP address (1 host up) scanned in 31.516 seconds

I m really not sure whats wrong with my m-series or nmap using stealth
probes-technique so it can bypass the firewall filtering or need to apply
this filter on my RE ? Please advise.
As addition I use Junos 5.6R1.


Any helps/comments really apreciated.


Regards
Hendro


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list