[j-nsp] tcp-flag filter
Rafal Szarecki (WA/EPO)
rafal.szarecki at ericsson.com
Wed Sep 14 09:39:29 EDT 2005
Dan,
In uyr example the math for protocol is missing.
tcp-flag do not check nalues of protocol type in IPv4 header.
the just match against 6 less significant bits in byte 14 on IP payload (L4 header or even L4 payload)
So for UDP tcp-flag match optionaly biths in payload and mach positive.
Rafa³ Szarecki JNCIE
skype me <callto://Rafal_Szarecki/>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Dan Evans
> Sent: Wednesday, September 14, 2005 3:03 PM
> To: erol.kahraman at gmail.com
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] tcp-flag filter
>
>
> Here's an example of how to use the tcp-flags option in firewall
> filters. Hopefully this helps out:
>
> term foo-1 {
> from {
> destination-address {
> x.x.x.a/32;
> x.x.x.b/32;
> x.x.x.c/32;
> }
> source-prefix-list {
> filter1 except;
> }
> tcp-flags "ack & !rst";
> }
> then accept;
> }
> term foo-2 {
> from {
> destination-address {
> x.x.x.a/32;
> x.x.x.b/32;
> x.x.x.c/32;
> }
> tcp-flags "(syn & !ack) | rst";
> }
> then {
> discard;
> }
> }
>
>
> -Dan
>
>
> On 9/14/05, Erol KAHRAMAN <erol.kahraman at gmail.com> wrote:
> > hi to everybody,
> >
> > i am trying to write a filter whitch will block tcp packet with the
> > syn,fin flags are set. Is it possible ? I find the
> tcp-flags parameter
> > in help of filter, but i don't know how to use it ?
> >
> > --
> > Erol KAHRAMAN
> > System Network Administrator
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list