[j-nsp] Netscreen Firewalls and TCP States/Bypass
Stephan Tesch
stephan at tesch.cx
Tue Sep 20 06:07:17 EDT 2011
On Tue, 20 Sep 2011 08:31:33 +0100, Phil Mayers wrote:
>> 'unset flow tcp-syn-check' is what you want but unfortunately it is
>> a global setting, so all or nothing...
>
> Are you sure? I don't think that's what he wants; as suggested by the
> name, this relaxes the requirement for the 1st packet to be a
> syn/syn+ack pair, but the firewall will still expect to see both
> sides
> of the flow IIRC; in a previous iteration of our network, we were
> prone to asymmetric routing causing our firewalls problems, and we've
> run with "unset flow tcp-syn-" from day one.
We had this (unset flow typ-syn-check) running on a large cluster the
other day and once we turned the flow feature on, some dual-homed hosts
stopped working due to incorrect routing tables. Up to that point our
cluster only saw one side of the connection, without any problems. That
has been ScreenOS 5.4 (back in the days). Don't know if this has changed
in the 6.x line, we haven't turned it off since :)
best regards,
Stephan
More information about the juniper-nsp
mailing list