[j-nsp] Block port 0 traffic

Richard A Steenbergen ras at e-gerbil.net
Wed Oct 13 15:04:12 EDT 2004

On Wed, Oct 13, 2004 at 11:39:37AM -0700, Eli Dart wrote:
> In reply to Richard A Steenbergen <ras at e-gerbil.net> :
> > 
> > You aren't actually seeing port 0 traffic, you're seeing fragmented IP 
> > packets without a L4 header, which shows up as src/dst port 0 in "show 
> > firewall log" and such. Common question, it might be helpful to put some 
> > indicator so users can tell the difference.
> This can be a bit of a problem if you are filtering based on layer-4 
> port.  Apparently Junipers match the bit offsets for layer-4 ports 
> against IP fragments -- so, if you are blocking a given port you can 
> blow away portions of legitimate fragmented IP packets, if the data 
> in the packet happens to match whatever port you are blocking.
> The way around this is to allow frags that are not the first frag 
> through before your port blocks.

IIRC the documentation states that layer 4 information like ports are 
matched against by offset without checking for protocol, thus you are 
encouraged to remember to include "from protocol [ tcp udp ]" and/or 
is-fragment in your firewall terms.

The not so well known corollary is that ports will show up as 0 on a 
non-initial fragment, with no other indication to the confused end user 
that this is a fragment vs a packet with ports 0 configured (other than 
the mysterious non-matching filter of course :P).

Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the juniper-nsp mailing list