[j-nsp] Block port 0 traffic
Eli Dart
dart at nersc.gov
Wed Oct 13 14:39:37 EDT 2004
In reply to Richard A Steenbergen <ras at e-gerbil.net> :
>
> You aren't actually seeing port 0 traffic, you're seeing fragmented IP
> packets without a L4 header, which shows up as src/dst port 0 in "show
> firewall log" and such. Common question, it might be helpful to put some
> indicator so users can tell the difference.
This can be a bit of a problem if you are filtering based on layer-4
port. Apparently Junipers match the bit offsets for layer-4 ports
against IP fragments -- so, if you are blocking a given port you can
blow away portions of legitimate fragmented IP packets, if the data
in the packet happens to match whatever port you are blocking.
The way around this is to allow frags that are not the first frag
through before your port blocks.
--eli
>
> --
> Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20041013/920e4db3/attachment.bin
More information about the juniper-nsp
mailing list