[j-nsp] filter on TCP seqnum

Erik Bos erik at xs4all.net
Wed Jun 23 13:13:07 EDT 2004


On Tue, Jun 22, 2004 at 10:24:03AM -0700, Paul Goyette wrote:
> I've just checked with our engineering folks, and the answer is....
> 
> 
> We cannot do this today.  (I was wrong earlier.)
> 
> It would not be difficult to extend one of the existing Application
> Layer Gateways to provide generic packet inspection and matching.
> But the work has not been done, and although it is on the list of
> things to do, it is not at the top of the list because there has
> been little or no customer demand.  Note that Customer Demand needs
> to be funnelled through Juniper's Enahncement Request process, and
> that means dealing with your Juniper Sales team.  Requests voiced
> on forums such as this list are heard, but carry little weight in 
> the feature development prioritization process.
> 

About TCP filtering and Customer Demand/Enhancement Request processes ;-)
JUNOS doesnt seem to support IPv6 tcp flag filtering at the moment (using
tcp-established as part of a family inet6 filter term).

Is this already on the todolist/roadmap or should I ask our Juniper rep
about this?

> -----Original Message-----
> From: Richard A Steenbergen [mailto:ras at e-gerbil.net]
> Sent: Tuesday, June 22, 2004 10:15 AM
> To: Paul Goyette
> Cc: Jeff Wheeler; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] filter on TCP seqnum
> 
> 
> On Tue, Jun 22, 2004 at 09:50:50AM -0700, Paul Goyette wrote:
> > I am by no means an expert on the configuration of the module.
> > 
> > The documentation should be of some help, or our JTAC folks can
> > help you set up the appropriate "service-set".
> 
> I just took a good skim through the documentation and couldn't find
> anything more on-topic than stateful firewalling, automatic anomaly 
> checking, and syn cookies through the IDS service (does anyone have any 
> performance numbers on exactly how big a flood this will combat btw?)
> 
> If anyone does find a way to make an AS pic do simple byte-match filtering
> on packet headers fields not covered by basic firewall commands, I think
> we'd all like to know about it. :)
> 
> -- 
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 


More information about the juniper-nsp mailing list