[j-nsp] "ping: sendto: Operation not permitted" in LAN

Saku Ytti saku at ytti.fi
Sat Aug 20 02:24:36 EDT 2011


On (2011-08-19 19:03 -0400), Stefan Fouant wrote:

> This is the nature of stateless firewall-filters guys... It has been this way since the beginning and everybody else seems to understand this behavior. I don't see anybody else screaming that this is a gaping security hole.  You do realize that this is no different than ACLs on Cisco right? If you need something that will handle traffic statefully, use a firewall instead.

Did you have time to go through my email, where I hopefully proved that trio,
infact works like I originally suggested, not like M series does. I.e.
'tcp-initial', does not simply match arbitrary bit offset in packet, as
matching stopped working, when packet was changed from tcp (6) to 7.

You don't have this same problem in IOS either, as you cannot specify TCP
options in IOS without specifying packet to be TCP.

-- 
  ++ytti


More information about the juniper-nsp mailing list