[j-nsp] Block port 0 traffic
Richard A Steenbergen
ras at e-gerbil.net
Thu Oct 21 18:00:30 EDT 2004
On Thu, Oct 21, 2004 at 08:47:48PM +0000, Chris Morrow wrote:
> On Wed, 20 Oct 2004, Randy Bush wrote:
>
> >side discussion on whether
> >
> > term port-zero {
> > from {
> > protocol [ tcp udp ];
> > port 0;
> > }
> > then {
> > sample;
> > discard;
> > }
> > }
> >
> >should have a first-fragment clause added to the from{}.
>
> For any filter on a juniper, it seems to me, that the packets after
> 'initial fragment' (in a fragmented packet stream) will have 'port 0' (or
> really 'no port' since the L4 info isn't really included in the packet, no
> udp or tcp header is included (or icmp for that matter). Thus, if you
> include this filter term MINUS the 'first-fragment' term you will drop all
> subsequent fragments in the stream.
>
> This will cause problems of an indeterminate type for the end-station(s).
>
> I realize that the below basically says this, however I am attempting to
> rephrase it more clearly. Someone from Juniper who knows the ins/outs of
> the firewall functions might be able to answer this?
The last time I tested this, matching on "port 0" alone did not pick up on
L4 header-less fragments, even though they show up in a "show firewall
log" and such as port 0.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list