[j-nsp] Netscreen Firewalls and TCP States/Bypass
Phil Mayers
p.mayers at imperial.ac.uk
Tue Sep 20 03:31:33 EDT 2011
On 09/20/2011 04:06 AM, Stefan Fouant wrote:
> 'unset flow tcp-syn-check' is what you want but unfortunately it is a global setting, so all or nothing...
Are you sure? I don't think that's what he wants; as suggested by the
name, this relaxes the requirement for the 1st packet to be a
syn/syn+ack pair, but the firewall will still expect to see both sides
of the flow IIRC; in a previous iteration of our network, we were prone
to asymmetric routing causing our firewalls problems, and we've run with
"unset flow tcp-syn-" from day one.
It is possible I am mis-remembering it of course...
More information about the juniper-nsp
mailing list