[j-nsp] SYN/FIN ratio
Pavel Lunin
plunin at senetsy.ru
Sun Feb 28 03:41:31 EST 2010
Hi Phil,
2010/2/27 Phil Shafer <phil at juniper.net>
>
> Be aware that "tcp-flags" looks at the bits at a fixed offset in
> the packet without checking to see that the packet is TCP.
[…]
> The fix is to add at the top of your filter:
>
> term accept-non-tcp {
> from {
> protocol-except tcp;
> }
> then accept;
> }
>
>
This is quite an important note, I really missed it. Thank you.
> Also you may want to use:
>
> tcp-flags "syn & !ack";
>
> in term SYN to match only connection requests.
>
>
This does not actually matter since SYN-ACK reply goes backwards.
Approximately the same thing happens to FIN. So when normally closed session
has two segments marked SYN and two ones marked FIN, only one pair of them
is transmitted in each direction.
--
Regards,
Pavel
More information about the juniper-nsp
mailing list