[j-nsp] Netscreen Firewalls and TCP States/Bypass
Phil Mayers
p.mayers at imperial.ac.uk
Tue Sep 20 07:25:46 EDT 2011
On 20/09/11 11:07, Stephan Tesch wrote:
> On Tue, 20 Sep 2011 08:31:33 +0100, Phil Mayers wrote:
>
>>> 'unset flow tcp-syn-check' is what you want but unfortunately it is a
>>> global setting, so all or nothing...
>>
>> Are you sure? I don't think that's what he wants; as suggested by the
>> name, this relaxes the requirement for the 1st packet to be a
>> syn/syn+ack pair, but the firewall will still expect to see both sides
>> of the flow IIRC; in a previous iteration of our network, we were
>> prone to asymmetric routing causing our firewalls problems, and we've
>> run with "unset flow tcp-syn-" from day one.
>
> We had this (unset flow typ-syn-check) running on a large cluster the
> other day and once we turned the flow feature on, some dual-homed hosts
> stopped working due to incorrect routing tables. Up to that point our
> cluster only saw one side of the connection, without any problems. That
> has been ScreenOS 5.4 (back in the days). Don't know if this has changed
> in the 6.x line, we haven't turned it off since :)
Sounds like I'm wrong and Stefan (and Stephan) are right!
More information about the juniper-nsp
mailing list