[j-nsp] filter on TCP seqnum
Erik Bos
erik at xs4all.net
Wed Jun 23 13:13:07 EDT 2004
On Tue, Jun 22, 2004 at 10:24:03AM -0700, Paul Goyette wrote:
> I've just checked with our engineering folks, and the answer is....
>
>
> We cannot do this today. (I was wrong earlier.)
>
> It would not be difficult to extend one of the existing Application
> Layer Gateways to provide generic packet inspection and matching.
> But the work has not been done, and although it is on the list of
> things to do, it is not at the top of the list because there has
> been little or no customer demand. Note that Customer Demand needs
> to be funnelled through Juniper's Enahncement Request process, and
> that means dealing with your Juniper Sales team. Requests voiced
> on forums such as this list are heard, but carry little weight in
> the feature development prioritization process.
>
About TCP filtering and Customer Demand/Enhancement Request processes ;-)
JUNOS doesnt seem to support IPv6 tcp flag filtering at the moment (using
tcp-established as part of a family inet6 filter term).
Is this already on the todolist/roadmap or should I ask our Juniper rep
about this?
> -----Original Message-----
> From: Richard A Steenbergen [mailto:ras at e-gerbil.net]
> Sent: Tuesday, June 22, 2004 10:15 AM
> To: Paul Goyette
> Cc: Jeff Wheeler; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] filter on TCP seqnum
>
>
> On Tue, Jun 22, 2004 at 09:50:50AM -0700, Paul Goyette wrote:
> > I am by no means an expert on the configuration of the module.
> >
> > The documentation should be of some help, or our JTAC folks can
> > help you set up the appropriate "service-set".
>
> I just took a good skim through the documentation and couldn't find
> anything more on-topic than stateful firewalling, automatic anomaly
> checking, and syn cookies through the IDS service (does anyone have any
> performance numbers on exactly how big a flood this will combat btw?)
>
> If anyone does find a way to make an AS pic do simple byte-match filtering
> on packet headers fields not covered by basic firewall commands, I think
> we'd all like to know about it. :)
>
> --
> Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list