[j-nsp] Rule to prevent illegitimal TCP attacks

Erdem Sener erdems at gmail.com
Wed Jul 27 18:54:32 EDT 2005


Hi,

 I guess what're you looking for is 'tcp-established' and it is indeed
possible. Still, you might want to think about non-tcp traffic (such
as dns queries).

 In you example, a firewall filter that is applied to outbound
interface for network A could look like;

 term established-from-B-to-A {
    from {
        source-address {
            <network B>;
        }
        destination-address {
            <network A>;
        }
        tcp-established;
    }
    then accept;
}
term block-non-established-tcp-from-B-to-A {
    from {
        source-address {
            <network B>;
        }
        destination-address {
            <network A>;
        }
        protocol tcp;
    }
    then {
        reject;
    }
}


term the_rest {
    then {
        accept; ##assuming you only want to alter tcp traffic.
    }
}

 I would suggest thinking more than twice on what's needed and what's
going to happen before applying any firewall filters that will affect
live traffic.

Hope this helps,
Erdem



More information about the juniper-nsp mailing list