[j-nsp] DNS signed zone and IP Fragments
Philip Palanchi
palanchi at rutgers.edu
Tue May 1 16:28:17 EDT 2012
I'm looking for a firewall packet filter to deal with IP Fragments as described in the link below.
https://lists.isc.org/pipermail/bind-users/2010-February/078917.html
We run a pair of MX240's with 10.1R3.7 at the edge. Running stateless firewall filters inbound on Internet handoffs allowing certain tcp and udp ports. I'm having a problem with non-initial fragments not getting through. We have a temporary workaround, but it is not a global solution at all.
I was thinking that firewall filter processing for fragments such as below could be a solution, but it's scary to open the flood gates. Interested to hear how others have dealt with this. Any thoughts?
term ip-fragments-1 {
from {
first-fragment;
}
then policer IP-FRAG-Policer;
}
term ip-fragments-2 {
from {
fragment-offset 64-8191;
}
then policer IP-FRAG-Policer;
}
policer IP-FRAG-Policer
filter-specific;
if-exceeding {
bandwidth-limit 8k;
burst-size-limit 1500;
}
then discard;
Thanks,
Phil
More information about the juniper-nsp
mailing list