[j-nsp] tcp-flag filter

Dan Evans pzdevans at gmail.com
Wed Sep 14 09:49:21 EDT 2005 

Rafal,

Correct. My production filters do include protocol matches. I'm glad
you made that point, because I've seen very unexpected behavior when
it's left out.

-Dan
JNCIE #0084


On 9/14/05, Rafal Szarecki (WA/EPO) <rafal.szarecki at ericsson.com> wrote:
> Dan,
> 
> In uyr example the math for protocol is missing.
> 
> tcp-flag do not check nalues of protocol type in IPv4 header.
> the just match against 6 less significant bits in byte 14 on IP payload (L4 header or even L4 payload)
> 
> So for UDP tcp-flag match optionaly biths in payload and mach positive.
> 
> Rafa³ Szarecki JNCIE
> 
> skype me <callto://Rafal_Szarecki/>
> 
> 
> 
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net
> > [mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Dan Evans
> > Sent: Wednesday, September 14, 2005 3:03 PM
> > To: erol.kahraman at gmail.com
> > Cc: juniper-nsp at puck.nether.net
> > Subject: Re: [j-nsp] tcp-flag filter
> >
> >
> > Here's an example of how to use the tcp-flags option in firewall
> > filters. Hopefully this helps out:
> >
> > term foo-1 {
> >        from {
> >            destination-address {
> >                x.x.x.a/32;
> >                x.x.x.b/32;
> >                x.x.x.c/32;
> >            }
> >            source-prefix-list {
> >                filter1 except;
> >            }
> >            tcp-flags "ack & !rst";
> >        }
> >        then accept;
> >    }
> > term foo-2 {
> >        from {
> >            destination-address {
> >                x.x.x.a/32;
> >                x.x.x.b/32;
> >                x.x.x.c/32;
> >            }
> >            tcp-flags "(syn & !ack) | rst";
> >        }
> >        then {
> >            discard;
> >        }
> >    }
> >
> >
> > -Dan
> >
> >
> > On 9/14/05, Erol KAHRAMAN <erol.kahraman at gmail.com> wrote:
> > > hi to everybody,
> > >
> > > i am trying to write a filter whitch will block tcp packet with the
> > > syn,fin flags are set. Is it possible ? I find the
> > tcp-flags parameter
> > > in help of filter, but i don't know how to use it ?
> > >
> > > --
> > > Erol KAHRAMAN
> > > System Network Administrator
> > >
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>

More information about the juniper-nsp mailing list