[j-nsp] Netscreen Firewalls and TCP States/Bypass
Josh Farrelly
josh at base-2.co.nz
Tue Sep 20 06:27:53 EDT 2011
Hi there.
Removing this option seems to have solved our issue.
Thanks,
Josh.
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: Tuesday, 20 September 2011 19:32
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Netscreen Firewalls and TCP States/Bypass
On 09/20/2011 04:06 AM, Stefan Fouant wrote:
> 'unset flow tcp-syn-check' is what you want but unfortunately it is a
global setting, so all or nothing...
Are you sure? I don't think that's what he wants; as suggested by the
name, this relaxes the requirement for the 1st packet to be a
syn/syn+ack pair, but the firewall will still expect to see both sides
of the flow IIRC; in a previous iteration of our network, we were prone
to asymmetric routing causing our firewalls problems, and we've run with
"unset flow tcp-syn-" from day one.
It is possible I am mis-remembering it of course...
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list