[j-nsp] Block port 0 traffic
Richard A Steenbergen
ras at e-gerbil.net
Wed Oct 13 15:04:12 EDT 2004
On Wed, Oct 13, 2004 at 11:39:37AM -0700, Eli Dart wrote:
>
> In reply to Richard A Steenbergen <ras at e-gerbil.net> :
> >
> > You aren't actually seeing port 0 traffic, you're seeing fragmented IP
> > packets without a L4 header, which shows up as src/dst port 0 in "show
> > firewall log" and such. Common question, it might be helpful to put some
> > indicator so users can tell the difference.
>
> This can be a bit of a problem if you are filtering based on layer-4
> port. Apparently Junipers match the bit offsets for layer-4 ports
> against IP fragments -- so, if you are blocking a given port you can
> blow away portions of legitimate fragmented IP packets, if the data
> in the packet happens to match whatever port you are blocking.
>
> The way around this is to allow frags that are not the first frag
> through before your port blocks.
IIRC the documentation states that layer 4 information like ports are
matched against by offset without checking for protocol, thus you are
encouraged to remember to include "from protocol [ tcp udp ]" and/or
is-fragment in your firewall terms.
The not so well known corollary is that ports will show up as 0 on a
non-initial fragment, with no other indication to the confused end user
that this is a fragment vs a packet with ports 0 configured (other than
the mysterious non-matching filter of course :P).
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list