[j-nsp] Block port 0 traffic
Richard A Steenbergen
ras at e-gerbil.net
Wed Oct 13 12:32:29 EDT 2004
On Wed, Oct 13, 2004 at 06:53:19PM +0800, Wei Keong wrote:
> Hi,
>
> We observe quite a bit of traffic surge, from src port 0 to dst port 0.
> We tried to use the filter below, but the traffic is still able to pass
> through. Has anyone seeing the same attack lately? Is there a bug in Junos
> 5.6?
>
> term deny-port-zero {
> from {
> protocol [ tcp udp ];
> source-port 0;
> destination-port 0;
> }
> then {
> count deny-port-zero;
> sample;
> discard;
> }
> }
You aren't actually seeing port 0 traffic, you're seeing fragmented IP
packets without a L4 header, which shows up as src/dst port 0 in "show
firewall log" and such. Common question, it might be helpful to put some
indicator so users can tell the difference.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list