[j-nsp] "ping: sendto: Operation not permitted" in LAN
Stefan Fouant
sfouant at shortestpathfirst.net
Thu Aug 18 21:23:12 EDT 2011
On 8/18/2011 3:18 PM, Saku Ytti wrote:
> On (2011-08-18 10:28 -0400), Stefan Fouant wrote:
>
>> established. This can cause strange behavior since it's only looking
>> for it a simple bit match against the TCP ACK or RST fields.
>> However because you are not tying it specifically to TCP traffic,
>> any packets which have a 1 value at that offset will match.
>
> Trio appears to change this, in inet6 simply doing 'match port X' without
> 'match next-header tcp|udp' correctly finds port X, regardless of its position
> in the frame (you can move the UDP/TCP port position via extension headers).
Hi Saku,
Trio has nothing to do with this - the behavior when matching on a port
is completely different than using the bit-field match operators. Even
without Trio, if you specify a match on a port without protocol, it will
look in the appropriate locations depending on whether the traffic is
TCP or UDP. That is not the case with bit-field match operators.
See
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html#jd0e29000
for more information.
HTHs.
Stefan Fouant
JNCIE-ER, JNCIE-M, JNCIE-SEC, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant
More information about the juniper-nsp
mailing list