[j-nsp] "ping: sendto: Operation not permitted" in LAN

Stefan Fouant sfouant at shortestpathfirst.net
Thu Aug 18 21:23:12 EDT 2011


On 8/18/2011 3:18 PM, Saku Ytti wrote:
> On (2011-08-18 10:28 -0400), Stefan Fouant wrote:
>
>> established. This can cause strange behavior since it's only looking
>> for it a simple bit match against the TCP ACK or RST fields.
>> However because you are not tying it specifically to TCP traffic,
>> any packets which have a 1 value at that offset will match.
>
> Trio appears to change this, in inet6 simply doing 'match port X' without
> 'match next-header tcp|udp' correctly finds port X, regardless of its position
> in the frame (you can move the UDP/TCP port position via extension headers).

Hi Saku,

Trio has nothing to do with this - the behavior when matching on a port 
is completely different than using the bit-field match operators.  Even 
without Trio, if you specify a match on a port without protocol, it will 
look in the appropriate locations depending on whether the traffic is 
TCP or UDP.  That is not the case with bit-field match operators.

See 
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html#jd0e29000 
for more information.

HTHs.

Stefan Fouant
JNCIE-ER, JNCIE-M, JNCIE-SEC, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant


More information about the juniper-nsp mailing list