[j-nsp] Sample configuration: security {}

Tim Eberhard xmin0s at gmail.com
Mon Apr 6 08:02:20 EDT 2009


That KB is to turn Junos-ES into a router device..

the first part:
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;

Basically turns off *all* state full tcp. At that point you might as well be
using stateless acl's.

The next portion is to disable the ALG's (application layer gateways). Again
if the end goal here is to use this device as a router, I agree with it.

If you're trying to use the security{} options as a firewall then do *not*
follow that KB.

Good luck,
-Tim Eberhard

On Mon, Apr 6, 2009 at 1:37 AM, <tech at osystems.ru> wrote:

>
>
> KB11963 recommends also add
>     flow (
>         allow-dns-reply;
>         tcp-session (
>             no-syn-check;
>             no-syn-check-in-tunnel;
>             no-sequence-check;
>         )
>     )
>
> and
>
>     alg (
>         dns disable;
>         ftp disable;
>         h323 disable;
>         mgcp disable;
>         real disable;
>         rsh disable;
>         rtsp disable;
>         sccp disable;
>         sip disable;
>         sql disable;
>         talk disable;
>         tftp disable;
>         pptp disable;
>         msrpc disable;
>         sunrpc disable;
>     )
>
> as well as
>     zones (
>         security-zone trust (
>             tcp-rst;
>
> Is there a meaning to make these changes?
>
>
>
>
> On Fri, 03 Apr 2009 15:04:58 +0200, Tomasz Klicki <tomasz at klicki.pl>
> wrote:
> > tech at osystems.ru pisze:
> >> Please give me a sample configuration, security {} for the JUNOS
> Software
> >> Release [9.4R1.8] (Export edition) Enhanced Services for the BGP router
> >> (border router).
> >
> > Here you are:
> >
> > security {
> >     zones {
> >         security-zone zone_default {
> >             host-inbound-traffic {
> >                 system-services {
> >                     all;
> >                 }
> >                 protocols {
> >                     all;
> >                 }
> >             }
> >             interfaces {
> >                 all;
> >             }
> >         }
> >     }
> >     policies {
> >         default-policy {
> >             permit-all;
> >         }
> >     }
> > }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list