[j-nsp] Block port 0 traffic
Randy Bush
randy at psg.com
Thu Oct 21 01:21:07 EDT 2004
side discussion on whether
term port-zero {
from {
protocol [ tcp udp ];
port 0;
}
then {
sample;
discard;
}
}
should have a first-fragment clause added to the from{}.
some of the discussion is as follows
> and would that not just drop the first frag and let the rest of
> the fragmented chunk through?
(I believe to be the case) Currently your acl/filter will only
drop the fragmented chunks and permit in the initial fragment
(which has the ports). This will either be 'bad' and cause you
to have lots and lots of reassembly timeouts, or will atleast
stop some 'oddball' udp/tcp based exploit on your RE :)
randy
More information about the juniper-nsp
mailing list