[j-nsp] Block port 0 traffic

Chris Morrow morrowc at ops-netman.net
Thu Oct 21 16:47:48 EDT 2004


On Wed, 20 Oct 2004, Randy Bush wrote:

> side discussion on whether
>
>    term port-zero {
> 	from {
> 	    protocol [ tcp udp ];
> 	    port 0;
> 	    }
> 	then {
> 	    sample;
> 	    discard;
> 	    }
> 	}
>
> should have a first-fragment clause added to the from{}.

For any filter on a juniper, it seems to me, that the packets after 
'initial fragment' (in a fragmented packet stream) will have 'port 0' (or 
really 'no port' since the L4 info isn't really included in the packet, no 
udp or tcp header is included (or icmp for that matter). Thus, if you 
include this filter term MINUS the 'first-fragment' term you will drop all 
subsequent fragments in the stream.

This will cause problems of an indeterminate type for the end-station(s).

I realize that the below basically says this, however I am attempting to 
rephrase it more clearly. Someone from Juniper who knows the ins/outs of 
the firewall functions might be able to answer this?

>
> some of the discussion is as follows
>
>    > and would that not just drop the first frag and let the rest of
>    > the fragmented chunk through?
>
>    (I believe to be the case) Currently your acl/filter will only
>    drop the fragmented chunks and permit in the initial fragment
>    (which has the ports).  This will either be 'bad' and cause you
>    to have lots and lots of reassembly timeouts, or will atleast
>    stop some 'oddball' udp/tcp based exploit on your RE :)
>
> randy
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list